Merge master into next.

2025-12-18 01:33:15 +01:00 · 2018-11-23 16:36:31 +00:00
parent 3cee874ee3 f4ec168666
commit c20b688a3f
394 changed files with 5820 additions and 1727 deletions
--- a/Information/GeneralStatistics.qhelp
+++ b/Information/GeneralStatistics.qhelp
@@ -15,20 +15,9 @@ functions, and the total number of source code resp. comment lines.</p>
 depends on third-party libraries: low self-containedness means that many dependencies
 are to library classes (as opposed to source classes within the same application).</p>

-</overview>
-<section title="How to Address the Query Results">
-
 <p>The results of this query are purely informative and more useful for getting an overall impression of the application than for
-identifying particular defects.</p>
+identifying particular problems with the code.</p>

+</overview>

-
-
-
-</section>
-<references>
-
-
-
-</references>
 </qhelp>
--- a/Errors/OffsetUseBeforeRangeCheck.ql
+++ b/Errors/OffsetUseBeforeRangeCheck.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/offset-use-before-range-check
 * @problem.severity warning
+ * @precision medium
 * @tags reliability
 *       security
 *       external/cwe/cwe-120
@@ -13,10 +14,29 @@

 import cpp

-from Variable v, LogicalAndExpr andexpr, ArrayExpr access, LTExpr rangecheck
-where access.getArrayOffset() = v.getAnAccess()
-  and andexpr.getLeftOperand().getAChild() = access
-  and andexpr.getRightOperand() = rangecheck
-  and rangecheck.getLeftOperand() = v.getAnAccess()
-  and not access.isInMacroExpansion()
+predicate beforeArrayAccess(Variable v, ArrayExpr access, Expr before) {
+  exists(LogicalAndExpr andexpr |
+    access.getArrayOffset() = v.getAnAccess() and
+    andexpr.getRightOperand().getAChild*() = access and
+    andexpr.getLeftOperand() = before
+  )
+}
+
+predicate afterArrayAccess(Variable v, ArrayExpr access, Expr after) {
+  exists(LogicalAndExpr andexpr |
+    access.getArrayOffset() = v.getAnAccess() and
+    andexpr.getLeftOperand().getAChild*() = access and
+    andexpr.getRightOperand() = after
+  )
+}
+
+from Variable v, ArrayExpr access, LTExpr rangecheck
+where
+  afterArrayAccess(v, access, rangecheck) and
+  rangecheck.getLeftOperand() = v.getAnAccess() and
+  not access.isInMacroExpansion() and
+  not exists(LTExpr altcheck |
+    beforeArrayAccess(v, access, altcheck) and
+    altcheck.getLeftOperand() = v.getAnAccess()
+  )
 select access, "This use of offset '" + v.getName() + "' should follow the $@.", rangecheck, "range check"
--- a/Constants/MagicNumbersUseConstant.ql
+++ b/Constants/MagicNumbersUseConstant.ql
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/use-number-constant
 * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
 */
 import cpp
 import MagicConstants
--- a/Constants/MagicStringsUseConstant.ql
+++ b/Constants/MagicStringsUseConstant.ql
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/use-string-constant
 * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
 */
 import cpp
 import MagicConstants
--- a/Practices/NVI.ql
+++ b/Practices/NVI.ql
@@ -4,7 +4,9 @@
 *              to enforce invariants that should hold for the whole hierarchy.
 * @kind problem
 * @id cpp/nvi
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
 */
 import cpp

--- a/Practices/NVIHub.ql
+++ b/Practices/NVIHub.ql
@@ -4,8 +4,11 @@
 *              to enforce invariants that should hold for the whole hierarchy.
 *              This is especially problematic in classes with many
 *              dependencies or dependents.
- * @kind table
+ * @kind problem
 * @id cpp/nvi-hub
+ * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
 */
 import cpp

@@ -19,4 +22,4 @@ where f.hasSpecifier("public") and
      fclass = f.getDeclaringType() and
      hubIndex = fclass.getMetrics().getAfferentCoupling() * fclass.getMetrics().getEfferentCoupling() and
      hubIndex > 100
-select f.getFile(), f, "Avoid having public virtual methods (NVI idiom)"
+select f, "Avoid having public virtual methods (NVI idiom)"
--- a/Entities/UnusedIncludes.ql
+++ b/Entities/UnusedIncludes.ql
@@ -4,7 +4,10 @@
 *              the included elements are used.
 * @kind problem
 * @id cpp/unused-includes
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
+ *       useless-code
 */

 import cpp
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -82,22 +82,31 @@ class CallWithBufferSize extends FunctionCall
  Expr buffer() {
    exists(int i |
      bufferAndSizeFunction(this.getTarget(), i, _) and
-      result = this.getArgument(i))
+      result = this.getArgument(i)
+    )
  }
-  Expr statedSize() {
+  Expr statedSizeExpr() {
    exists(int i |
      bufferAndSizeFunction(this.getTarget(), _, i) and
-      result = this.getArgument(i))
+      result = this.getArgument(i)
+    )
+  }
+  int statedSizeValue() {
+    exists(Expr statedSizeSrc |
+      DataFlow::localFlow(DataFlow::exprNode(statedSizeSrc), DataFlow::exprNode(statedSizeExpr())) and
+      result = statedSizeSrc.getValue().toInt()
+    )
  }
 }

 predicate wrongBufferSize(Expr error, string msg) {
-  exists(CallWithBufferSize call, int bufsize, Variable buf |
+  exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
    staticBuffer(call.buffer(), buf, bufsize) and
-    call.statedSize().getValue().toInt() > bufsize and
-    error = call.statedSize() and
+    statedSize = min(call.statedSizeValue()) and
+    statedSize > bufsize and
+    error = call.statedSizeExpr() and
    msg = "Potential buffer-overflow: '" + buf.getName() +
-    "' has size " + bufsize.toString() + " not " + call.statedSize().getValue() + ".")
+    "' has size " + bufsize.toString() + " not " + statedSize + ".")
 }

 predicate outOfBounds(BufferAccess bufaccess, string msg)
--- a/cpp/ql/src/JPL_C/LOC-3/Rule
+++ b/cpp/ql/src/JPL_C/LOC-3/Rule
@@ -12,5 +12,6 @@ from GlobalVariable v
 where forex(VariableAccess va | va.getTarget() = v | va.getFile() = v.getDefinitionLocation().getFile())
      and not v.hasSpecifier("static")
      and strictcount(v.getAnAccess().getEnclosingFunction()) > 1 // If = 1, variable should be function-scope.
+      and not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The global variable " + v.getName() + " is not accessed outside of " + v.getFile().getBaseName()
      + " and could be made static."
--- a/cpp/ql/src/JPL_C/LOC-3/Rule
+++ b/cpp/ql/src/JPL_C/LOC-3/Rule
@@ -10,5 +10,7 @@ import cpp

 from GlobalVariable v, Function f
 where v.getAnAccess().getEnclosingFunction() = f and
-      strictcount(v.getAnAccess().getEnclosingFunction()) = 1
+      strictcount(v.getAnAccess().getEnclosingFunction()) = 1 and
+      forall(VariableAccess a | a = v.getAnAccess() | exists(a.getEnclosingFunction())) and
+      not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The variable " + v.getName() + " is only accessed in $@ and should be scoped accordingly.", f, f.getName()
--- a/Bugs/Arithmetic/PointlessSelfComparison.ql
+++ b/Bugs/Arithmetic/PointlessSelfComparison.ql
@@ -18,4 +18,12 @@ from ComparisonOperation cmp
 where pointlessSelfComparison(cmp)
  and not nanTest(cmp)
  and not overflowTest(cmp)
+  and not exists(MacroInvocation mi | 
+    // cmp is in mi 
+    mi.getAnExpandedElement() = cmp and 
+  
+    // and cmp was apparently not passed in as a macro parameter 
+    cmp.getLocation().getStartLine() = mi.getLocation().getStartLine() and 
+    cmp.getLocation().getStartColumn() = mi.getLocation().getStartColumn() 
+  ) 
 select cmp, "Self comparison."
--- a/Management/Padding/More64BitWaste.ql
+++ b/Management/Padding/More64BitWaste.ql
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/more-64-bit-waste
 * @problem.severity warning
+ * @tags maintainability
+ *       portability
 */

 import semmle.code.cpp.padding.Padding
--- a/Management/Padding/NonPortablePrintf.ql
+++ b/Management/Padding/NonPortablePrintf.ql
@@ -5,6 +5,8 @@
 * @kind problem
 * @id cpp/non-portable-printf
 * @problem.severity warning
+ * @tags maintainability
+ *       portability
 */

 import cpp
--- a/Management/Padding/Suboptimal64BitType.ql
+++ b/Management/Padding/Suboptimal64BitType.ql
@@ -4,7 +4,8 @@
 *    that by reordering them one could reduce the amount of internal padding on a 64-bit architecture.
 * @kind problem
 * @id cpp/suboptimal-64-bit-type
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags efficiency
 */

 import semmle.code.cpp.padding.Padding
--- a/cpp/ql/src/Metrics/History/HChurn.ql
+++ b/cpp/ql/src/Metrics/History/HChurn.ql
@@ -7,6 +7,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg sum max
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HLinesAdded.ql
+++ b/cpp/ql/src/Metrics/History/HLinesAdded.ql
@@ -7,6 +7,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg sum max
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HLinesDeleted.ql
+++ b/cpp/ql/src/Metrics/History/HLinesDeleted.ql
@@ -7,6 +7,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg sum max
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HNumberOfAuthors.ql
+++ b/cpp/ql/src/Metrics/History/HNumberOfAuthors.ql
@@ -6,6 +6,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg min max
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HNumberOfChanges.ql
+++ b/cpp/ql/src/Metrics/History/HNumberOfChanges.ql
@@ -7,6 +7,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg min max sum
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HNumberOfCoCommits.ql
+++ b/cpp/ql/src/Metrics/History/HNumberOfCoCommits.ql
@@ -7,6 +7,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg min max
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HNumberOfReCommits.ql
+++ b/cpp/ql/src/Metrics/History/HNumberOfReCommits.ql
@@ -7,6 +7,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg min max
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HNumberOfRecentAuthors.ql
+++ b/cpp/ql/src/Metrics/History/HNumberOfRecentAuthors.ql
@@ -7,6 +7,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg min max
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HNumberOfRecentChangedFiles.ql
+++ b/cpp/ql/src/Metrics/History/HNumberOfRecentChangedFiles.ql
@@ -6,6 +6,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg min max sum
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/cpp/ql/src/Metrics/History/HNumberOfRecentChanges.ql
+++ b/cpp/ql/src/Metrics/History/HNumberOfRecentChanges.ql
@@ -6,6 +6,7 @@
 * @treemap.warnOn highValues
 * @metricType file
 * @metricAggregate avg min max sum
+ * @deprecated
 */
 import cpp
 import external.VCS
--- a/6/GlobalCouldBeStatic.ql
+++ b/6/GlobalCouldBeStatic.ql
@@ -12,5 +12,6 @@ from GlobalVariable v
 where forex(VariableAccess va | va.getTarget() = v | va.getFile() = v.getDefinitionLocation().getFile())
      and not v.hasSpecifier("static")
      and strictcount(v.getAnAccess().getEnclosingFunction()) > 1 // If = 1, variable should be function-scope.
+      and not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The global variable " + v.getName() + " is not accessed outside of " + v.getFile().getBaseName() +
      " and could be made static."
--- a/6/VariableScopeTooLarge.ql
+++ b/6/VariableScopeTooLarge.ql
@@ -10,5 +10,7 @@ import cpp

 from GlobalVariable v, Function f
 where v.getAnAccess().getEnclosingFunction() = f and
-      strictcount(v.getAnAccess().getEnclosingFunction()) = 1
+      strictcount(v.getAnAccess().getEnclosingFunction()) = 1 and
+      forall(VariableAccess a | a = v.getAnAccess() | exists(a.getEnclosingFunction())) and
+      not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The variable " + v.getName() + " is only accessed in $@ and should be scoped accordingly.", f, f.getName()
--- a/cpp/ql/src/external/tests/DefectFilter.ql
+++ b/cpp/ql/src/external/tests/DefectFilter.ql
@@ -4,7 +4,6 @@
 */
 import cpp
 import external.DefectFilter
-import external.VCS

 from DefectResult res
 where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200
--- a/cpp/ql/src/external/tests/DefectFromSVN.ql
+++ b/cpp/ql/src/external/tests/DefectFromSVN.ql
@@ -3,6 +3,7 @@
 * @description A test case for creating a defect from SVN data.
 * @kind problem
 * @problem.severity warning
+ * @deprecated
 */

 import cpp
--- a/cpp/ql/src/external/tests/MetricFromSVN.ql
+++ b/cpp/ql/src/external/tests/MetricFromSVN.ql
@@ -3,6 +3,7 @@
 * @description Find number of commits for a file
 * @treemap.warnOn lowValues
 * @metricType file
+ * @deprecated
 */

 import cpp
--- a/cpp/ql/src/filters/RecentDefects.ql
+++ b/cpp/ql/src/filters/RecentDefects.ql
@@ -6,6 +6,7 @@
 *              before the date of the snapshot.
 * @kind problem
 * @id cpp/recent-defects-filter
+ * @deprecated
 */
 import cpp
 import external.DefectFilter
--- a/cpp/ql/src/filters/RecentDefectsForMetric.ql
+++ b/cpp/ql/src/filters/RecentDefectsForMetric.ql
@@ -6,6 +6,7 @@
 *              before the snapshot.
 * @kind treemap
 * @id cpp/recent-defects-for-metric-filter
+ * @deprecated
 */
 import cpp
 import external.MetricFilter
--- a/cpp/ql/src/jsf/3.02
+++ b/cpp/ql/src/jsf/3.02
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-1
 * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/3.02
+++ b/cpp/ql/src/jsf/3.02
@@ -4,6 +4,10 @@
 * @kind problem
 * @id cpp/jsf/av-rule-2
 * @problem.severity error
+ * @tags maintainability
+ *       readability
+ *       testability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/3.02
+++ b/cpp/ql/src/jsf/3.02
@@ -3,7 +3,9 @@
 * @description All functions shall have a cyclomatic complexity number of 20 or less.
 * @kind problem
 * @id cpp/jsf/av-rule-3
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.04
+++ b/cpp/ql/src/jsf/4.04
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-11
 * @problem.severity warning
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp
 import external.ExternalArtifact
--- a/cpp/ql/src/jsf/4.04
+++ b/cpp/ql/src/jsf/4.04
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-12
 * @problem.severity warning
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */

 import cpp
--- a/cpp/ql/src/jsf/4.04
+++ b/cpp/ql/src/jsf/4.04
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-13
 * @problem.severity error
+ * @tags maintainability
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.04
+++ b/cpp/ql/src/jsf/4.04
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-14
 * @problem.severity error
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.04
+++ b/cpp/ql/src/jsf/4.04
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-9
 * @problem.severity warning
+ * @tags maintainability
+ *       portability
+ *       external/jsf
 */

 import cpp
--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-17
 * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-18
 * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-19
 * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,10 @@
 * @kind problem
 * @id cpp/jsf/av-rule-20
 * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-21
 * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-22
 * @problem.severity error
+ * @tags maintainability
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-23
 * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,7 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-24
 * @problem.severity warning
- * @tags portability
+ * @tags correctness
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.05
+++ b/cpp/ql/src/jsf/4.05
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-25
 * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.06
+++ b/cpp/ql/src/jsf/4.06
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-26
 * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.06
+++ b/cpp/ql/src/jsf/4.06
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-27
 * @problem.severity warning
+ * @tags maintainability
+ *       portability
+ *       external/jsf
 */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion
--- a/cpp/ql/src/jsf/4.06
+++ b/cpp/ql/src/jsf/4.06
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-28
 * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion
--- a/cpp/ql/src/jsf/4.06
+++ b/cpp/ql/src/jsf/4.06
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-29
 * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.06
+++ b/cpp/ql/src/jsf/4.06
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-30
 * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.06
+++ b/cpp/ql/src/jsf/4.06
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-31
 * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion
--- a/cpp/ql/src/jsf/4.06
+++ b/cpp/ql/src/jsf/4.06
@@ -7,6 +7,8 @@
 * @id cpp/include-non-header
 * @tags maintainability
 *       modularity
+ *       readability
+ *       external/jsf
 */
 import cpp
 import semmle.code.cpp.AutogeneratedFile
--- a/cpp/ql/src/jsf/4.07
+++ b/cpp/ql/src/jsf/4.07
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-33
 * @problem.severity error
+ * @tags maintainability
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.07
+++ b/cpp/ql/src/jsf/4.07
@@ -10,6 +10,7 @@
 * @tags efficiency
 *       maintainability
 *       modularity
+ *       external/jsf
 */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion
--- a/cpp/ql/src/jsf/4.07
+++ b/cpp/ql/src/jsf/4.07
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-39
 * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.08
+++ b/cpp/ql/src/jsf/4.08
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-40
 * @problem.severity error
+ * @tags correctness
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Source lines will be kept to a length of 120 characters or less.
 * @kind problem
 * @id cpp/jsf/av-rule-41
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */

 import cpp
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Each expression-statement will be on a separate line.
 * @kind problem
 * @id cpp/jsf/av-rule-42
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-43
 * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */

 import cpp
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description All indentations will be at least two spaces and be consistent within the same source file.
 * @kind problem
 * @id cpp/jsf/av-rule-44
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */

 import cpp
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description All words in an identifier will be separated by the underscore character.
 * @kind problem
 * @id cpp/jsf/av-rule-45
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description User-specified identifiers (internal and external) will not rely on significance of more than 64 characters.
 * @kind problem
 * @id cpp/jsf/av-rule-46
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,9 @@
 * @description Identifiers will not begin with the underscore character.
 * @kind problem
 * @id cpp/jsf/av-rule-47
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -4,6 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-48
 * @problem.severity warning
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description All acronyms in an identifier will be composed of uppercase letters.
 * @kind problem
 * @id cpp/jsf/av-rule-49
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp
 import Naming
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description The first word of the name of a class, structure, namespace, enumeration, or type created with typedef will begin with an uppercase letter. All other letters will be lowercase.
 * @kind problem
 * @id cpp/jsf/av-rule-50
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp
 import Naming
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description All letters contained in function and variable names will be lowercase.
 * @kind problem
 * @id cpp/jsf/av-rule-51
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp
 import Naming
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Identifiers for constant and enumerator values shall be lowercase.
 * @kind problem
 * @id cpp/jsf/av-rule-52
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp
 import Naming
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description The following character sequences shall not appear in header file names: ', \, /*, //, or ".
 * @kind problem
 * @id cpp/jsf/av-rule-53-1
- * @problem.severity error
+ * @problem.severity warning
+ * @tags maintainability
+ *       portability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Header files will always have a file name extension of .h.
 * @kind problem
 * @id cpp/jsf/av-rule-53
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Implementation files will always have a file name extension of .cpp.
 * @kind problem
 * @id cpp/jsf/av-rule-54
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description The public, protected, and private sections of a class will be declared in that order.
 * @kind problem
 * @id cpp/jsf/av-rule-57
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description When declaring and defining functions with more than two parameters, the leading parenthesis and the first argument will be written on the same line as the function name. Each additional argument will be written on a separate line (with the closing parenthesis directly after the last argument).
 * @kind problem
 * @id cpp/jsf/av-rule-58
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description The statements forming the body of an if, else if, else, while, do-while or for statement shall always be enclosed in braces, even if the braces form an empty block.
 * @kind problem
 * @id cpp/jsf/av-rule-59
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Braces which enclose a block will be placed in the same column, on separate lines directly before and after the block.
 * @kind problem
 * @id cpp/jsf/av-rule-60
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */

 import cpp
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Braces which enclose a block will have nothing else on the line except comments (if necessary).
 * @kind problem
 * @id cpp/jsf/av-rule-61
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */

 import cpp
--- a/cpp/ql/src/jsf/4.09
+++ b/cpp/ql/src/jsf/4.09
@@ -3,7 +3,10 @@
 * @description Spaces will not be used around '.' or '->', nor between unary operators and operands.
 * @kind problem
 * @id cpp/jsf/av-rule-63
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,7 +3,9 @@
 * @description Unneeded implicitly generated member functions shall be explicitly disallowed.
 * @kind problem
 * @id cpp/jsf/av-rule-68
- * @problem.severity error
+ * @problem.severity warning
+ * @tags correctness
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -5,6 +5,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-69
 * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -5,7 +5,9 @@
 *              for logical or efficiency reasons.
 * @kind problem
 * @id cpp/jsf/av-rule-70
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -8,6 +8,7 @@
 * @tags reliability
 *       readability
 *       language-features
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-71
 * @problem.severity error
+ * @tags correctness
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,8 +3,10 @@
 * @description Unnecessary default constructors shall not be defined.
 * @kind problem
 * @id cpp/jsf/av-rule-73
- * @problem.severity error
+ * @problem.severity recommendation
 * @precision low
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -6,6 +6,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-74
 * @problem.severity warning
+ * @tags correctness
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,7 +3,10 @@
 * @description Members of the initialization list shall be listed in the order in which they are declared in the class.
 * @kind problem
 * @id cpp/jsf/av-rule-75
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,7 +3,9 @@
 * @description A copy constructor and an assignment operator shall be declared for classes that contain pointers to data items or nontrivial destructors. If the copy constructor and assignment operators are not required, they should be explicitly disallowed.
 * @kind problem
 * @id cpp/jsf/av-rule-76
- * @problem.severity error
+ * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -8,6 +8,7 @@
 * @tags reliability
 *       readability
 *       language-features
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,11 +3,11 @@
 * @description All base classes with a virtual function should define a virtual destructor. If an application attempts to delete a derived class object through a base class pointer, the result is undefined if the base class destructor is non-virtual.
 * @kind problem
 * @problem.severity warning
- * @precision high
 * @id cpp/jsf/av-rule-78
 * @tags reliability
 *       readability
 *       language-features
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -8,6 +8,7 @@
 * @tags efficiency
 *       readability
 *       external/cwe/cwe-404
+ *       external/jsf
 */
 import cpp
 import Critical.NewDelete
--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -4,6 +4,8 @@
 * @kind problem
 * @id cpp/jsf/av-rule-81
 * @problem.severity error
+ * @tags correctness
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -8,6 +8,7 @@
 * @tags reliability
 *       readability
 *       language-features
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -4,7 +4,9 @@
 * @kind problem
 * @id cpp/jsf/av-rule-85
 * @problem.severity warning
- * @tags reliability
+ * @tags maintainability
+ *       reliability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,7 +3,9 @@
 * @description A stateful virtual base shall be explicitly declared in each derived class that accesses it. Explicitly declaring a stateful virtual base at each level in a hierarchy (where that base is used), documents that fact that no assumptions can be made with respect to the exclusive use of the data contained within the virtual base.
 * @kind problem
 * @id cpp/jsf/av-rule-88-1
- * @problem.severity error
+ * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -5,7 +5,9 @@
 * @problem.severity recommendation
 * @precision high
 * @id cpp/undisciplined-multiple-inheritance
- * @tags readability
+ * @tags maintainability
+ *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -7,6 +7,7 @@
 * @id cpp/inconsistent-virtual-inheritance
 * @tags maintainability
 *       readability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -3,7 +3,9 @@
 * @description An inherited nonvirtual function shall not be redefined in a derived class. Such definitions would hide the function in the base class.
 * @kind problem
 * @id cpp/jsf/av-rule-94
- * @problem.severity error
+ * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
 */
 import cpp

--- a/cpp/ql/src/jsf/4.10
+++ b/cpp/ql/src/jsf/4.10
@@ -7,6 +7,7 @@
 * @id cpp/redefined-default-parameter
 * @tags maintainability
 *       readability
+ *       external/jsf
 */
 import cpp

--- a/Show More
+++ b/Show More