Merge master into next.

change-notes/1.19/analysis-cpp.md

@@ -9,21 +9,33 @@
 | Cast between `HRESULT` and a Boolean type (`cpp/hresult-boolean-conversion`) | external/cwe/cwe-253 | Finds logic errors caused by mistakenly treating the Windows `HRESULT` type as a Boolean instead of testing it with the appropriate macros. Enabled by default. |
 | Setting a DACL to `NULL` in a `SECURITY_DESCRIPTOR` (`cpp/unsafe-dacl-security-descriptor`) | external/cwe/cwe-732 | This query finds code that creates world-writable objects on Windows by setting their DACL to `NULL`. Enabled by default. |
 | Cast from `char*` to `wchar_t*` | security, external/cwe/cwe-704 | Detects potentially dangerous casts from `char*` to `wchar_t*`.  Enabled by default on LGTM. |
-| Dead code due to `goto` or `break` statement (`cpp/dead-code-goto`) | maintainability, external/cwe/cwe-561 | Detects dead code following a goto or break statement. Enabled by default on LGTM. |
+| Dead code due to `goto` or `break` statement (`cpp/dead-code-goto`) | maintainability, external/cwe/cwe-561 | Detects dead code following a `goto` or `break` statement. Enabled by default on LGTM. |
+| Inconsistent direction of for loop | correctness, external/cwe/cwe-835 | This query detects `for` loops where the increment and guard condition don't appear to correspond.  Enabled by default on LGTM. |
+| Incorrect Not Operator Usage | security, external/cwe/cwe-480 | This query finds uses of the logical not (`!`) operator that look like they should be bit-wise not (`~`).  Available but not displayed by default on LGTM. |
+| NULL application name with an unquoted path in call to CreateProcess | security, external/cwe/cwe-428 | This query finds unsafe uses of the `CreateProcess` function.  Available but not displayed by default on LGTM. |
 
 ## Changes to existing queries
 
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
+| Array offset used before range check | More results and fewer false positive results | The query now recognizes array accesses in different positions within the expression.  False positives where the range is checked before and after the array access have been fixed. |
 | Empty branch of conditional | Fewer false positive results | The query now recognizes commented blocks more reliably. |
 | Expression has no effect | Fewer false positive results | Expressions in template instantiations are now excluded from this query. |
+| Global could be static | Fewer false positive results | Variables with declarations in header files are now excluded from this query. |
 | Resource not released in destructor | Fewer false positive results | Placement new is now excluded from the query. Also fixed an issue where false positives could occur if the destructor body was not in the snapshot. |
 | Missing return statement (`cpp/missing-return`) | Visible by default | The precision of this query has been increased from 'medium' to 'high', which makes it visible by default in LGTM. It was 'medium' in release 1.17 and 1.18 because it had false positives due to an extractor bug that was fixed in 1.18. |
-| Missing return statement | Fewer false positive results | The query is now produces correct results when a function returns a template-dependent type. |
+| Missing return statement | Fewer false positive results | The query is now produces correct results when a function returns a template-dependent type, or makes a non-returning call to another function. |
+| Static array access may cause overflow | More correct results | Data flow to the size argument of a buffer operation is now checked in this query. |
 | Call to memory access function may overflow buffer | More correct results | Array indexing with a negative index is now detected by this query. |
+| Self comparison | Fewer false positive results | Code inside macro invocations is now excluded from the query. |
 | Suspicious call to memset | Fewer false positive results | Types involving decltype are now correctly compared. |
 | Suspicious add with sizeof | Fewer false positive results | Arithmetic with void pointers (where allowed) is now excluded from this query. |
 | Wrong type of arguments to formatting function | Fewer false positive results | False positive results involving typedefs have been removed.  Expected argument types are determined more accurately, especially for wide string and pointer types.  Custom (non-standard) formatting functions are also identified more accurately. |
+| AV Rule 164 | Fewer false positive results | This query now accounts for explicit casts. |
+| Negation of unsigned value | Fewer false positive results | This query now accounts for explicit casts. |
+| Variable scope too large | Fewer false positive results | Variables with declarations in header files, or that are used at file scope, are now excluded from this query. |
+| Comparison result is always the same | Fewer false positive results | Comparisons in template instantiations are now excluded from this query. |
+| Unsigned comparison to zero | Fewer false positive results | Comparisons in template instantiations are now excluded from this query. |
 
 ## Changes to QL libraries
 

change-notes/1.19/analysis-csharp.md

@@ -29,3 +29,7 @@
 
 * `getArgument()` on `AccessorCall` has been improved so it now takes tuple assignments into account. For example, the argument for the implicit `value` parameter in the setter of property `P` is `0` in `(P, x) = (0, 1)`. Additionally, the argument for the `value` parameter in compound assignments is now only the expanded value, for example, in `P += 7` the argument is `P + 7` and not `7`.
 * The predicate `isInArgument()` has been added to the `AssignableAccess` class. This holds for expressions that are passed as arguments using `in`.
+
+## Changes to the autobuilder
+
+* When determining the target of `msbuild` or `dotnet build`, first look for `.proj` files, then `.sln` files, and finally `.csproj`/`.vcxproj` files. In all three cases, choose the project/solution file closest to the root.

change-notes/1.19/analysis-java.md

@@ -16,6 +16,7 @@
 | **Query**                  | **Expected impact**    | **Change**                                                       |
 |----------------------------|------------------------|------------------------------------------------------------------|
 | Array index out of bounds (`java/index-out-of-bounds`) | Fewer false positive results | False positives involving arrays with a length evenly divisible by 3 or some greater number and an index being increased with a similar stride length are no longer reported. |
+| Confusing overloading of methods (`java/confusing-method-signature`) | Fewer false positive results | A bugfix in the inheritance relation ensures that spurious results on certain generic classes no longer occur. |
 | Query built from user-controlled sources (`java/sql-injection`) | More results | Sql injection sinks from the Spring JDBC, MyBatis, and Hibernate frameworks are now reported. |
 | Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | Sql injection sinks from the Spring JDBC, MyBatis, and Hibernate frameworks are now reported. |
 | Unreachable catch clause (`java/unreachable-catch-clause`) | Fewer false positive results | This rule now accounts for calls to generic methods that throw generic exceptions. |

change-notes/1.19/analysis-javascript.md

@@ -4,8 +4,6 @@
 
 * Modelling of taint flow through array operations has been improved. This may give additional results for the security queries.
 
-* The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.
-
 * Support for AMD modules has been improved. This may give additional results for the security queries as well as any queries that use type inference on code bases that use such modules.
 
 * Support for popular libraries has been improved. Consequently, queries may produce more results on code bases that use the following features:
@@ -13,6 +11,8 @@
   - outbound network access, for example through the [fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API)
   - the [lodash](https://lodash.com), [underscore](https://underscorejs.org/), [async](https://www.npmjs.com/package/async) and [async-es](https://www.npmjs.com/package/async-es) libraries
 
+* The taint tracking library now recognizes additional sanitization patterns. This may give fewer false-positive results for the security queries.
+
 * Type inference for function calls has been improved. This may give additional results for queries that rely on type inference.
 
 * Where applicable, path explanations have been added to the security queries.
@@ -35,29 +35,38 @@
 
 | **Query**                      | **Expected impact**        | **Change**                                   |
 |--------------------------------|----------------------------|----------------------------------------------|
+| Ambiguous HTML id attribute | Lower severity | The severity of this rule has been revised to "warning". |
+| Clear-text logging of sensitive information | Fewer results | This rule now tracks flow more precisely. |
 | Client side cross-site scripting | More results | This rule now also flags HTML injection in the body of an email. |
+| Client-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. |
+| Conflicting HTML element attributes | Lower severity | The severity of this rule has been revised to "warning". |
+| Duplicate 'if' condition | Lower severity | The severity of this rule has been revised to "warning". |
+| Duplicate switch case | Lower severity | The severity of this rule has been revised to "warning". |
 | Information exposure through a stack trace | More results | This rule now also flags cases where the entire exception object (including the stack trace) may be exposed. |
 | Missing CSRF middleware | Fewer false-positive results | This rule now recognizes additional CSRF protection middlewares. |
+| Missing 'this' qualifier | Fewer false-positive results | This rule now recognizes additional intentional calls to global functions. | 
+| Missing variable declaration | Lower severity | The severity of this rule has been revised to "warning". |
 | Regular expression injection | Fewer false-positive results | This rule now identifies calls to `String.prototype.search` with more precision. |
 | Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. |
 | Self assignment | Fewer false-positive results | This rule now ignores self-assignments preceded by a JSDoc comment with a `@type` tag. |
+| Server-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. |
 | Server-side URL redirect | More results | This rule now recognizes redirection calls in more cases. |
 | Unbound event handler receiver | Fewer false-positive results | This rule now recognizes additional ways class methods can be bound. |
 | Uncontrolled data used in remote request | More results | This rule now recognizes additional kinds of requests. |
+| Unknown directive | Fewer false positives results | This rule now recognizes YUI compressor directives. |
 | Unused import | Fewer false-positive results | This rule no longer flags imports used by the `transform-react-jsx` Babel plugin. |
 | Unused variable, import, function or class | Fewer false-positive results | This rule now flags fewer variables that may be used by `eval` calls. |
 | Unused variable, import, function or class | Fewer results | This rule now flags import statements with multiple unused imports once. |
 | Useless assignment to local variable | Fewer false-positive results | This rule now recognizes additional ways default values can be set. |
 | Whitespace contradicts operator precedence | Fewer false-positive results | This rule no longer flags operators with asymmetric whitespace. |
-| Client-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. |
+| Wrong use of 'this' for static method | More results, fewer false-positive results | This rule now recognizes inherited methods. |
-| Server-side URL redirect | Fewer false-positive results | This rule now recognizes safe redirects in more cases. |
 
 ## Changes to QL libraries
 
-* The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class `FlowLabel` (which can also be referred to by its alias `TaintKind`).
+* A `DataFlow::ParameterNode` instance now exists for all function parameters. Previously, unused parameters did not have a corresponding dataflow node.
-
-* The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual `this` expression. This means `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode` - it is recomended to use `getALocalSource` before casting or instead of casting.
 
 * `ReactComponent::getAThisAccess` has been renamed to `getAThisNode`. The old name is still usable but is deprecated. It no longer gets individual `this` expressions, but the `ThisNode` mentioned above.
 
-* A `DataFlow::ParameterNode` instance now exists for all function parameters. Previously, unused parameters did not have a corresponding dataflow node.
+* The `DataFlow::ThisNode` class now corresponds to the implicit receiver parameter of a function, as opposed to an indivdual `this` expression. This means `getALocalSource` now maps all `this` expressions within a given function to the same source. The data-flow node associated with a `ThisExpr` can no longer be cast to `DataFlow::SourceNode` or `DataFlow::ThisNode` - it is recomended to use `getALocalSource` before casting or instead of casting.
+
+* The flow configuration framework now supports distinguishing and tracking different kinds of taint, specified by an extensible class `FlowLabel` (which can also be referred to by its alias `TaintKind`).

change-notes/1.19/extractor-javascript.md

@@ -16,8 +16,16 @@
 
 ## General improvements
 
-> Changes that affect alerts in many files or from many queries
+* On LGTM, files whose name ends in `.min.js` or `-min.js` are no longer extracted by default, since they most likely contain minified code and results in these files would be hidden by default anyway. To extract such files anyway, you can add the following filters to your `lgtm.yml` file (or add them to existing filters):
-> For example, changes to file classification
+
+```yaml
+extraction:
+  javascript:
+    index:
+      filters:
+        - include: "**/*.min.js"
+        - include: "**/*-min.js"
+```
 
 ## Changes to code extraction
 

cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.qhelp

@@ -15,20 +15,9 @@ functions, and the total number of source code resp. comment lines.</p>
 depends on third-party libraries: low self-containedness means that many dependencies
 are to library classes (as opposed to source classes within the same application).</p>
 
-</overview>
-<section title="How to Address the Query Results">
-
 <p>The results of this query are purely informative and more useful for getting an overall impression of the application than for
-identifying particular defects.</p>
+identifying particular problems with the code.</p>
 
+</overview>
 
-
-
-
-</section>
-<references>
-
-
-
-</references>
 </qhelp>

cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql

@@ -5,6 +5,7 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
+ * @precision medium
  * @tags reliability
  *       security
  *       external/cwe/cwe-120
@@ -13,10 +14,29 @@
 
 import cpp
 
-from Variable v, LogicalAndExpr andexpr, ArrayExpr access, LTExpr rangecheck
+predicate beforeArrayAccess(Variable v, ArrayExpr access, Expr before) {
-where access.getArrayOffset() = v.getAnAccess()
+  exists(LogicalAndExpr andexpr |
-  and andexpr.getLeftOperand().getAChild() = access
+    access.getArrayOffset() = v.getAnAccess() and
-  and andexpr.getRightOperand() = rangecheck
+    andexpr.getRightOperand().getAChild*() = access and
-  and rangecheck.getLeftOperand() = v.getAnAccess()
+    andexpr.getLeftOperand() = before
-  and not access.isInMacroExpansion()
+  )
+}
+
+predicate afterArrayAccess(Variable v, ArrayExpr access, Expr after) {
+  exists(LogicalAndExpr andexpr |
+    access.getArrayOffset() = v.getAnAccess() and
+    andexpr.getLeftOperand().getAChild*() = access and
+    andexpr.getRightOperand() = after
+  )
+}
+
+from Variable v, ArrayExpr access, LTExpr rangecheck
+where
+  afterArrayAccess(v, access, rangecheck) and
+  rangecheck.getLeftOperand() = v.getAnAccess() and
+  not access.isInMacroExpansion() and
+  not exists(LTExpr altcheck |
+    beforeArrayAccess(v, access, altcheck) and
+    altcheck.getLeftOperand() = v.getAnAccess()
+  )
 select access, "This use of offset '" + v.getName() + "' should follow the $@.", rangecheck, "range check"

cpp/ql/src/Best Practices/Magic Constants/MagicNumbersUseConstant.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/use-number-constant
  * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
  */
 import cpp
 import MagicConstants

cpp/ql/src/Best Practices/Magic Constants/MagicStringsUseConstant.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/use-string-constant
  * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
  */
 import cpp
 import MagicConstants

cpp/ql/src/Best Practices/NVI.ql

@@ -4,7 +4,9 @@
  *              to enforce invariants that should hold for the whole hierarchy.
  * @kind problem
  * @id cpp/nvi
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
  */
 import cpp
 

cpp/ql/src/Best Practices/NVIHub.ql

@@ -4,8 +4,11 @@
  *              to enforce invariants that should hold for the whole hierarchy.
  *              This is especially problematic in classes with many
  *              dependencies or dependents.
- * @kind table
+ * @kind problem
  * @id cpp/nvi-hub
+ * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
  */
 import cpp
 
@@ -19,4 +22,4 @@ where f.hasSpecifier("public") and
       fclass = f.getDeclaringType() and
       hubIndex = fclass.getMetrics().getAfferentCoupling() * fclass.getMetrics().getEfferentCoupling() and
       hubIndex > 100
-select f.getFile(), f, "Avoid having public virtual methods (NVI idiom)"
+select f, "Avoid having public virtual methods (NVI idiom)"

cpp/ql/src/Best Practices/Unused Entities/UnusedIncludes.ql

@@ -4,7 +4,10 @@
  *              the included elements are used.
  * @kind problem
  * @id cpp/unused-includes
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @precision low
+ * @tags maintainability
+ *       useless-code
  */
 
 import cpp

cpp/ql/src/Critical/OverflowStatic.ql

@@ -82,22 +82,31 @@ class CallWithBufferSize extends FunctionCall
   Expr buffer() {
     exists(int i |
       bufferAndSizeFunction(this.getTarget(), i, _) and
-      result = this.getArgument(i))
+      result = this.getArgument(i)
+    )
   }
-  Expr statedSize() {
+  Expr statedSizeExpr() {
     exists(int i |
       bufferAndSizeFunction(this.getTarget(), _, i) and
-      result = this.getArgument(i))
+      result = this.getArgument(i)
+    )
+  }
+  int statedSizeValue() {
+    exists(Expr statedSizeSrc |
+      DataFlow::localFlow(DataFlow::exprNode(statedSizeSrc), DataFlow::exprNode(statedSizeExpr())) and
+      result = statedSizeSrc.getValue().toInt()
+    )
   }
 }
 
 predicate wrongBufferSize(Expr error, string msg) {
-  exists(CallWithBufferSize call, int bufsize, Variable buf |
+  exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
     staticBuffer(call.buffer(), buf, bufsize) and
-    call.statedSize().getValue().toInt() > bufsize and
+    statedSize = min(call.statedSizeValue()) and
-    error = call.statedSize() and
+    statedSize > bufsize and
+    error = call.statedSizeExpr() and
     msg = "Potential buffer-overflow: '" + buf.getName() +
-    "' has size " + bufsize.toString() + " not " + call.statedSize().getValue() + ".")
+    "' has size " + bufsize.toString() + " not " + statedSize + ".")
 }
 
 predicate outOfBounds(BufferAccess bufaccess, string msg)

cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql

@@ -12,5 +12,6 @@ from GlobalVariable v
 where forex(VariableAccess va | va.getTarget() = v | va.getFile() = v.getDefinitionLocation().getFile())
       and not v.hasSpecifier("static")
       and strictcount(v.getAnAccess().getEnclosingFunction()) > 1 // If = 1, variable should be function-scope.
+      and not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The global variable " + v.getName() + " is not accessed outside of " + v.getFile().getBaseName()
       + " and could be made static."

cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql

@@ -10,5 +10,7 @@ import cpp
 
 from GlobalVariable v, Function f
 where v.getAnAccess().getEnclosingFunction() = f and
-      strictcount(v.getAnAccess().getEnclosingFunction()) = 1
+      strictcount(v.getAnAccess().getEnclosingFunction()) = 1 and
+      forall(VariableAccess a | a = v.getAnAccess() | exists(a.getEnclosingFunction())) and
+      not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The variable " + v.getName() + " is only accessed in $@ and should be scoped accordingly.", f, f.getName()

cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql

@@ -18,4 +18,12 @@ from ComparisonOperation cmp
 where pointlessSelfComparison(cmp)
   and not nanTest(cmp)
   and not overflowTest(cmp)
+  and not exists(MacroInvocation mi | 
+    // cmp is in mi 
+    mi.getAnExpandedElement() = cmp and 
+  
+    // and cmp was apparently not passed in as a macro parameter 
+    cmp.getLocation().getStartLine() = mi.getLocation().getStartLine() and 
+    cmp.getLocation().getStartColumn() = mi.getLocation().getStartColumn() 
+  ) 
 select cmp, "Self comparison."

cpp/ql/src/Likely Bugs/Memory Management/Padding/More64BitWaste.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/more-64-bit-waste
  * @problem.severity warning
+ * @tags maintainability
+ *       portability
  */
 
 import semmle.code.cpp.padding.Padding

cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql

@@ -5,6 +5,8 @@
  * @kind problem
  * @id cpp/non-portable-printf
  * @problem.severity warning
+ * @tags maintainability
+ *       portability
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql

@@ -4,7 +4,8 @@
  *    that by reordering them one could reduce the amount of internal padding on a 64-bit architecture.
  * @kind problem
  * @id cpp/suboptimal-64-bit-type
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags efficiency
  */
 
 import semmle.code.cpp.padding.Padding

cpp/ql/src/Metrics/History/HChurn.ql

@@ -7,6 +7,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg sum max
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HLinesAdded.ql

@@ -7,6 +7,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg sum max
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HLinesDeleted.ql

@@ -7,6 +7,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg sum max
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HNumberOfAuthors.ql

@@ -6,6 +6,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg min max
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HNumberOfChanges.ql

@@ -7,6 +7,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg min max sum
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HNumberOfCoCommits.ql

@@ -7,6 +7,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg min max
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HNumberOfReCommits.ql

@@ -7,6 +7,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg min max
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HNumberOfRecentAuthors.ql

@@ -7,6 +7,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg min max
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HNumberOfRecentChangedFiles.ql

@@ -6,6 +6,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg min max sum
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Metrics/History/HNumberOfRecentChanges.ql

@@ -6,6 +6,7 @@
  * @treemap.warnOn highValues
  * @metricType file
  * @metricAggregate avg min max sum
+ * @deprecated
  */
 import cpp
 import external.VCS

cpp/ql/src/Power of 10/Rule 6/GlobalCouldBeStatic.ql

@@ -12,5 +12,6 @@ from GlobalVariable v
 where forex(VariableAccess va | va.getTarget() = v | va.getFile() = v.getDefinitionLocation().getFile())
       and not v.hasSpecifier("static")
       and strictcount(v.getAnAccess().getEnclosingFunction()) > 1 // If = 1, variable should be function-scope.
+      and not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The global variable " + v.getName() + " is not accessed outside of " + v.getFile().getBaseName() +
       " and could be made static."

cpp/ql/src/Power of 10/Rule 6/VariableScopeTooLarge.ql

@@ -10,5 +10,7 @@ import cpp
 
 from GlobalVariable v, Function f
 where v.getAnAccess().getEnclosingFunction() = f and
-      strictcount(v.getAnAccess().getEnclosingFunction()) = 1
+      strictcount(v.getAnAccess().getEnclosingFunction()) = 1 and
+      forall(VariableAccess a | a = v.getAnAccess() | exists(a.getEnclosingFunction())) and
+      not v.getADeclarationEntry().getFile() instanceof HeaderFile // intended to be accessed elsewhere
 select v, "The variable " + v.getName() + " is only accessed in $@ and should be scoped accordingly.", f, f.getName()

cpp/ql/src/external/tests/DefectFilter.ql

@@ -4,7 +4,6 @@
  */
 import cpp
 import external.DefectFilter
-import external.VCS
 
 from DefectResult res
 where res.getFile().getMetrics().getNumberOfLinesOfCode() > 200

cpp/ql/src/external/tests/DefectFromSVN.ql

@@ -3,6 +3,7 @@
  * @description A test case for creating a defect from SVN data.
  * @kind problem
  * @problem.severity warning
+ * @deprecated
  */
 
 import cpp

cpp/ql/src/external/tests/MetricFromSVN.ql

@@ -3,6 +3,7 @@
  * @description Find number of commits for a file
  * @treemap.warnOn lowValues
  * @metricType file
+ * @deprecated
  */
 
 import cpp

cpp/ql/src/filters/RecentDefects.ql

@@ -6,6 +6,7 @@
  *              before the date of the snapshot.
  * @kind problem
  * @id cpp/recent-defects-filter
+ * @deprecated
  */
 import cpp
 import external.DefectFilter

cpp/ql/src/filters/RecentDefectsForMetric.ql

@@ -6,6 +6,7 @@
  *              before the snapshot.
  * @kind treemap
  * @id cpp/recent-defects-for-metric-filter
+ * @deprecated
  */
 import cpp
 import external.MetricFilter

cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 1.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-1
  * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 2.ql

@@ -4,6 +4,10 @@
  * @kind problem
  * @id cpp/jsf/av-rule-2
  * @problem.severity error
+ * @tags maintainability
+ *       readability
+ *       testability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql

@@ -3,7 +3,9 @@
  * @description All functions shall have a cyclomatic complexity number of 20 or less.
  * @kind problem
  * @id cpp/jsf/av-rule-3
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.04 Environment/AV Rule 11.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-11
  * @problem.severity warning
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 import external.ExternalArtifact

cpp/ql/src/jsf/4.04 Environment/AV Rule 12.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-12
  * @problem.severity warning
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 
 import cpp

cpp/ql/src/jsf/4.04 Environment/AV Rule 13.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-13
  * @problem.severity error
+ * @tags maintainability
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.04 Environment/AV Rule 14.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-14
  * @problem.severity error
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.04 Environment/AV Rule 9.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-9
  * @problem.severity warning
+ * @tags maintainability
+ *       portability
+ *       external/jsf
  */
 
 import cpp

cpp/ql/src/jsf/4.05 Libraries/AV Rule 17.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-17
  * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 18.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-18
  * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 19.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-19
  * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 20.ql

@@ -4,6 +4,10 @@
  * @kind problem
  * @id cpp/jsf/av-rule-20
  * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 21.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-21
  * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 22.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-22
  * @problem.severity error
+ * @tags maintainability
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-23
  * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql

@@ -4,7 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-24
  * @problem.severity warning
- * @tags portability
+ * @tags correctness
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.05 Libraries/AV Rule 25.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-25
  * @problem.severity error
+ * @tags correctness
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 26.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-26
  * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 27.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-27
  * @problem.severity warning
+ * @tags maintainability
+ *       portability
+ *       external/jsf
  */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion

cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 28.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-28
  * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion

cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 29.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-29
  * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 30.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-30
  * @problem.severity error
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 31.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-31
  * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion

cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql

@@ -7,6 +7,8 @@
  * @id cpp/include-non-header
  * @tags maintainability
  *       modularity
+ *       readability
+ *       external/jsf
  */
 import cpp
 import semmle.code.cpp.AutogeneratedFile

cpp/ql/src/jsf/4.07 Header Files/AV Rule 33.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-33
  * @problem.severity error
+ * @tags maintainability
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.07 Header Files/AV Rule 35.ql

@@ -10,6 +10,7 @@
  * @tags efficiency
  *       maintainability
  *       modularity
+ *       external/jsf
  */
 import cpp
 import semmle.code.cpp.headers.MultipleInclusion

cpp/ql/src/jsf/4.07 Header Files/AV Rule 39.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-39
  * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.08 Implementation Files/AV Rule 40.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-40
  * @problem.severity error
+ * @tags correctness
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 41.ql

@@ -3,7 +3,10 @@
  * @description Source lines will be kept to a length of 120 characters or less.
  * @kind problem
  * @id cpp/jsf/av-rule-41
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 
 import cpp

cpp/ql/src/jsf/4.09 Style/AV Rule 42.ql

@@ -3,7 +3,10 @@
  * @description Each expression-statement will be on a separate line.
  * @kind problem
  * @id cpp/jsf/av-rule-42
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 43.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-43
  * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 
 import cpp

cpp/ql/src/jsf/4.09 Style/AV Rule 44.ql

@@ -3,7 +3,10 @@
  * @description All indentations will be at least two spaces and be consistent within the same source file.
  * @kind problem
  * @id cpp/jsf/av-rule-44
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 
 import cpp

cpp/ql/src/jsf/4.09 Style/AV Rule 45.ql

@@ -3,7 +3,10 @@
  * @description All words in an identifier will be separated by the underscore character.
  * @kind problem
  * @id cpp/jsf/av-rule-45
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 46.ql

@@ -3,7 +3,10 @@
  * @description User-specified identifiers (internal and external) will not rely on significance of more than 64 characters.
  * @kind problem
  * @id cpp/jsf/av-rule-46
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 47.ql

@@ -3,7 +3,9 @@
  * @description Identifiers will not begin with the underscore character.
  * @kind problem
  * @id cpp/jsf/av-rule-47
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 48.ql

@@ -4,6 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-48
  * @problem.severity warning
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 49.ql

@@ -3,7 +3,10 @@
  * @description All acronyms in an identifier will be composed of uppercase letters.
  * @kind problem
  * @id cpp/jsf/av-rule-49
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 import Naming

cpp/ql/src/jsf/4.09 Style/AV Rule 50.ql

@@ -3,7 +3,10 @@
  * @description The first word of the name of a class, structure, namespace, enumeration, or type created with typedef will begin with an uppercase letter. All other letters will be lowercase.
  * @kind problem
  * @id cpp/jsf/av-rule-50
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 import Naming

cpp/ql/src/jsf/4.09 Style/AV Rule 51.ql

@@ -3,7 +3,10 @@
  * @description All letters contained in function and variable names will be lowercase.
  * @kind problem
  * @id cpp/jsf/av-rule-51
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 import Naming

cpp/ql/src/jsf/4.09 Style/AV Rule 52.ql

@@ -3,7 +3,10 @@
  * @description Identifiers for constant and enumerator values shall be lowercase.
  * @kind problem
  * @id cpp/jsf/av-rule-52
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 import Naming

cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql

@@ -3,7 +3,10 @@
  * @description The following character sequences shall not appear in header file names: ', \, /*, //, or ".
  * @kind problem
  * @id cpp/jsf/av-rule-53-1
- * @problem.severity error
+ * @problem.severity warning
+ * @tags maintainability
+ *       portability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 53.ql

@@ -3,7 +3,10 @@
  * @description Header files will always have a file name extension of .h.
  * @kind problem
  * @id cpp/jsf/av-rule-53
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 54.ql

@@ -3,7 +3,10 @@
  * @description Implementation files will always have a file name extension of .cpp.
  * @kind problem
  * @id cpp/jsf/av-rule-54
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 57.ql

@@ -3,7 +3,10 @@
  * @description The public, protected, and private sections of a class will be declared in that order.
  * @kind problem
  * @id cpp/jsf/av-rule-57
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 58.ql

@@ -3,7 +3,10 @@
  * @description When declaring and defining functions with more than two parameters, the leading parenthesis and the first argument will be written on the same line as the function name. Each additional argument will be written on a separate line (with the closing parenthesis directly after the last argument).
  * @kind problem
  * @id cpp/jsf/av-rule-58
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 59.ql

@@ -3,7 +3,10 @@
  * @description The statements forming the body of an if, else if, else, while, do-while or for statement shall always be enclosed in braces, even if the braces form an empty block.
  * @kind problem
  * @id cpp/jsf/av-rule-59
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.09 Style/AV Rule 60.ql

@@ -3,7 +3,10 @@
  * @description Braces which enclose a block will be placed in the same column, on separate lines directly before and after the block.
  * @kind problem
  * @id cpp/jsf/av-rule-60
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 
 import cpp

cpp/ql/src/jsf/4.09 Style/AV Rule 61.ql

@@ -3,7 +3,10 @@
  * @description Braces which enclose a block will have nothing else on the line except comments (if necessary).
  * @kind problem
  * @id cpp/jsf/av-rule-61
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 
 import cpp

cpp/ql/src/jsf/4.09 Style/AV Rule 63.ql

@@ -3,7 +3,10 @@
  * @description Spaces will not be used around '.' or '->', nor between unary operators and operands.
  * @kind problem
  * @id cpp/jsf/av-rule-63
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 68.ql

@@ -3,7 +3,9 @@
  * @description Unneeded implicitly generated member functions shall be explicitly disallowed.
  * @kind problem
  * @id cpp/jsf/av-rule-68
- * @problem.severity error
+ * @problem.severity warning
+ * @tags correctness
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 69.ql

@@ -5,6 +5,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-69
  * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 70.ql

@@ -5,7 +5,9 @@
  *              for logical or efficiency reasons.
  * @kind problem
  * @id cpp/jsf/av-rule-70
- * @problem.severity warning
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 71.1.ql

@@ -8,6 +8,7 @@
  * @tags reliability
  *       readability
  *       language-features
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 71.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-71
  * @problem.severity error
+ * @tags correctness
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 73.ql

@@ -3,8 +3,10 @@
  * @description Unnecessary default constructors shall not be defined.
  * @kind problem
  * @id cpp/jsf/av-rule-73
- * @problem.severity error
+ * @problem.severity recommendation
  * @precision low
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 74.ql

@@ -6,6 +6,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-74
  * @problem.severity warning
+ * @tags correctness
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 75.ql

@@ -3,7 +3,10 @@
  * @description Members of the initialization list shall be listed in the order in which they are declared in the class.
  * @kind problem
  * @id cpp/jsf/av-rule-75
- * @problem.severity error
+ * @problem.severity recommendation
+ * @tags maintainability
+ *       readability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql

@@ -3,7 +3,9 @@
  * @description A copy constructor and an assignment operator shall be declared for classes that contain pointers to data items or nontrivial destructors. If the copy constructor and assignment operators are not required, they should be explicitly disallowed.
  * @kind problem
  * @id cpp/jsf/av-rule-76
- * @problem.severity error
+ * @problem.severity warning
+ * @tags maintainability
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 77.1.ql

@@ -8,6 +8,7 @@
  * @tags reliability
  *       readability
  *       language-features
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 78.ql

@@ -3,11 +3,11 @@
  * @description All base classes with a virtual function should define a virtual destructor. If an application attempts to delete a derived class object through a base class pointer, the result is undefined if the base class destructor is non-virtual.
  * @kind problem
  * @problem.severity warning
- * @precision high
  * @id cpp/jsf/av-rule-78
  * @tags reliability
  *       readability
  *       language-features
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql

@@ -8,6 +8,7 @@
  * @tags efficiency
  *       readability
  *       external/cwe/cwe-404
+ *       external/jsf
  */
 import cpp
 import Critical.NewDelete

cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql

@@ -4,6 +4,8 @@
  * @kind problem
  * @id cpp/jsf/av-rule-81
  * @problem.severity error
+ * @tags correctness
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql

@@ -8,6 +8,7 @@
  * @tags reliability
  *       readability
  *       language-features
+ *       external/jsf
  */
 import cpp
 

cpp/ql/src/jsf/4.10 Classes/AV Rule 85.ql

@@ -4,7 +4,9 @@
  * @kind problem
  * @id cpp/jsf/av-rule-85
  * @problem.severity warning
- * @tags reliability
+ * @tags maintainability
+ *       reliability
+ *       external/jsf
  */
 import cpp