Merge branch 'main' into map

2025-12-17 01:03:14 +01:00 · 2020-10-05 12:32:49 +01:00
parent 2dc8fba7fe e660ac54da
commit c757813d65
66 changed files with 1381 additions and 1142 deletions
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -3,8 +3,8 @@
    // Extension identifier format: ${publisher}.${name}. Example: vscode.csharp
    // List of extensions which should be recommended for users of this workspace.
    "recommendations": [
-        "github.vscode-codeql"
+        "GitHub.vscode-codeql"
    ],
    // List of extensions recommended by VS Code that should not be recommended for users of this workspace.
    "unwantedRecommendations": []
-}
+}
--- a/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+++ b/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependencies
 * @description Count the number of dependencies a C/C++ source file has on external libraries.
 * @kind treemap
--- a/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+++ b/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependency source links
 * @kind source-link
 * @metricType externalDependency
--- a/cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
+++ b/cpp/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicated lines in files
 * @description The number of lines in a file, including code, comment
 *              and whitespace lines, which are duplicated in at least
--- a/cpp/ql/src/codeql-suites/cpp-lgtm-full.qls
+++ b/cpp/ql/src/codeql-suites/cpp-lgtm-full.qls
@@ -9,10 +9,7 @@
    tags contain:
      - ide-contextual-queries/local-definitions
      - ide-contextual-queries/local-references
- query: Metrics/Dependencies/ExternalDependencies.ql
- query: Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
 - query: Metrics/Files/FLinesOfCode.ql
 - query: Metrics/Files/FLinesOfCommentedOutCode.ql
 - query: Metrics/Files/FLinesOfComments.ql
- query: Metrics/Files/FLinesOfDuplicatedCode.ql
 - query: Metrics/Files/FNumberOfTests.ql
--- a/cpp/ql/src/external/DuplicateBlock.ql
+++ b/cpp/ql/src/external/DuplicateBlock.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate code
 * @description This block of code is duplicated elsewhere. If possible, the shared code should be refactored so there is only one occurrence left. It may not always be possible to address these issues; other duplicate code checks (such as duplicate function, duplicate class) give subsets of the results with higher confidence.
 * @kind problem
--- a/cpp/ql/src/external/DuplicateFunction.ql
+++ b/cpp/ql/src/external/DuplicateFunction.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate function
 * @description There is another identical implementation of this function. Extract the code to a common file or superclass or delegate to improve sharing.
 * @kind problem
--- a/cpp/ql/src/external/MostlyDuplicateClass.ql
+++ b/cpp/ql/src/external/MostlyDuplicateClass.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate class
 * @description More than 80% of the methods in this class are duplicated in another class. Create a common supertype to improve code sharing.
 * @kind problem
--- a/cpp/ql/src/external/MostlyDuplicateFile.ql
+++ b/cpp/ql/src/external/MostlyDuplicateFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate file
 * @description There is another file that shares a lot of the code with this file. Merge the two files to improve maintainability.
 * @kind problem
--- a/cpp/ql/src/external/MostlyDuplicateFunction.ql
+++ b/cpp/ql/src/external/MostlyDuplicateFunction.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate function
 * @description There is another function that shares a lot of the code with this one. Extract the code to a common file/superclass or delegate to improve sharing.
 * @kind problem
--- a/cpp/ql/src/external/MostlySimilarFile.ql
+++ b/cpp/ql/src/external/MostlySimilarFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly similar file
 * @description There is another file that shares a lot of the code with this file. Notice that names of variables and types may have been changed. Merge the two files to improve maintainability.
 * @kind problem
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/standalone_iterators.cpp
@@ -37,15 +37,15 @@ public:
 };

 void test_typedefs(int_iterator_by_typedefs source1) {
-    sink(*source1);
-    sink(*(source1++));
-    sink(*(++source1));
+    sink(*source1); // tainted
+    sink(*(source1++)); // tainted
+    sink(*(++source1)); // tainted
 }

 void test_trait(int_iterator_by_trait source1) {
-    sink(*source1);
-    sink(*(source1++));
-    sink(*(++source1));
+    sink(*source1); // tainted
+    sink(*(source1++)); // tainted
+    sink(*(++source1)); // tainted
 }

 void test_non_iterator(non_iterator source1) {
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/string.cpp
@@ -18,6 +18,7 @@ void sink(const char *s);
 void sink(const std::string &s);
 void sink(const char *filename, const char *mode);
 void sink(char);
+void sink(std::string::iterator);

 void test_string()
 {
@@ -349,6 +350,7 @@ void test_string_data_more()
 	sink(str); // tainted
 	sink(str.data()); // tainted
 }
+
 void test_string_iterators() {
 	// string append
 	{
@@ -389,7 +391,7 @@ void test_string_iterators() {
 		string::iterator i1 = s1.begin();

 		string::iterator i2 = s2.begin();
-		string::iterator i3, i4, i5, i6, i7, i8, i9;
+		string::iterator i3, i4, i5, i6, i7, i8, i9, i10, i11;

 		sink(*(i2+1)); //tainted
 		sink(*(i2-1)); // tainted
@@ -411,6 +413,13 @@ void test_string_iterators() {
 		i9 = s2.end();
 		--i9;
 		sink(*i9); // tainted
+
+		i10 = i2;
+		sink(*(i10++)); // tainted
+		sink(i10); // tainted
+		i11 = i2;
+		sink(*(i11--)); // tainted
+		sink(i11); // tainted
 	}
 }

@@ -428,8 +437,6 @@ void test_string_insert_more()
 	sink(s2); // tainted
 }

-void sink(std::string::iterator);
-
 void test_string_iterator_methods()
 {
 	{
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -154,119 +154,123 @@
 | standalone_iterators.cpp:46:10:46:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
 | standalone_iterators.cpp:47:10:47:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
 | standalone_iterators.cpp:48:10:48:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
-| string.cpp:28:7:28:7 | a | string.cpp:24:12:24:17 | call to source |
-| string.cpp:30:7:30:7 | c | string.cpp:26:16:26:21 | call to source |
-| string.cpp:32:9:32:13 | call to c_str | string.cpp:26:16:26:21 | call to source |
-| string.cpp:38:13:38:17 | call to c_str | string.cpp:14:10:14:15 | call to source |
-| string.cpp:42:13:42:17 | call to c_str | string.cpp:14:10:14:15 | call to source |
-| string.cpp:45:13:45:17 | call to c_str | string.cpp:14:10:14:15 | call to source |
-| string.cpp:55:7:55:8 | cs | string.cpp:50:19:50:24 | call to source |
-| string.cpp:56:7:56:8 | ss | string.cpp:50:19:50:24 | call to source |
-| string.cpp:69:7:69:8 | cs | string.cpp:61:19:61:24 | call to source |
-| string.cpp:70:7:70:8 | ss | string.cpp:61:19:61:24 | call to source |
-| string.cpp:92:8:92:9 | s1 | string.cpp:87:18:87:23 | call to source |
-| string.cpp:93:8:93:9 | s2 | string.cpp:88:20:88:25 | call to source |
-| string.cpp:94:8:94:9 | s3 | string.cpp:90:8:90:13 | call to source |
-| string.cpp:113:8:113:9 | s1 | string.cpp:109:32:109:37 | call to source |
-| string.cpp:114:8:114:9 | s2 | string.cpp:111:20:111:25 | call to source |
-| string.cpp:121:8:121:8 | c | string.cpp:119:16:119:21 | call to source |
-| string.cpp:125:8:125:8 | call to operator* | string.cpp:119:16:119:21 | call to source |
-| string.cpp:129:8:129:8 | c | string.cpp:119:16:119:21 | call to source |
-| string.cpp:134:8:134:8 | c | string.cpp:132:28:132:33 | call to source |
-| string.cpp:144:11:144:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
-| string.cpp:145:11:145:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
-| string.cpp:146:11:146:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
-| string.cpp:149:11:149:11 | call to operator+ | string.cpp:149:13:149:18 | call to source |
-| string.cpp:158:8:158:9 | s5 | string.cpp:154:18:154:23 | call to source |
-| string.cpp:161:11:161:11 | call to operator+= | string.cpp:154:18:154:23 | call to source |
-| string.cpp:162:8:162:9 | s6 | string.cpp:154:18:154:23 | call to source |
-| string.cpp:165:11:165:11 | call to operator+= | string.cpp:165:14:165:19 | call to source |
-| string.cpp:166:11:166:11 | call to operator+= | string.cpp:165:14:165:19 | call to source |
-| string.cpp:167:8:167:9 | s7 | string.cpp:165:14:165:19 | call to source |
-| string.cpp:171:8:171:9 | s8 | string.cpp:154:18:154:23 | call to source |
-| string.cpp:176:8:176:9 | s9 | string.cpp:174:13:174:18 | call to source |
-| string.cpp:184:8:184:10 | s10 | string.cpp:181:12:181:26 | call to source |
-| string.cpp:198:10:198:15 | call to assign | string.cpp:190:17:190:22 | call to source |
-| string.cpp:199:7:199:8 | s4 | string.cpp:190:17:190:22 | call to source |
-| string.cpp:201:10:201:15 | call to assign | string.cpp:191:11:191:25 | call to source |
-| string.cpp:202:7:202:8 | s5 | string.cpp:191:11:191:25 | call to source |
-| string.cpp:205:7:205:8 | s6 | string.cpp:193:17:193:22 | call to source |
-| string.cpp:219:10:219:15 | call to insert | string.cpp:210:17:210:22 | call to source |
-| string.cpp:220:7:220:8 | s4 | string.cpp:210:17:210:22 | call to source |
-| string.cpp:223:10:223:15 | call to insert | string.cpp:210:17:210:22 | call to source |
-| string.cpp:224:7:224:8 | s5 | string.cpp:210:17:210:22 | call to source |
-| string.cpp:227:10:227:15 | call to insert | string.cpp:211:11:211:25 | call to source |
-| string.cpp:228:7:228:8 | s6 | string.cpp:211:11:211:25 | call to source |
-| string.cpp:242:10:242:16 | call to replace | string.cpp:233:17:233:22 | call to source |
-| string.cpp:243:7:243:8 | s4 | string.cpp:233:17:233:22 | call to source |
-| string.cpp:246:10:246:16 | call to replace | string.cpp:233:17:233:22 | call to source |
-| string.cpp:247:7:247:8 | s5 | string.cpp:233:17:233:22 | call to source |
-| string.cpp:250:10:250:16 | call to replace | string.cpp:234:11:234:25 | call to source |
-| string.cpp:251:7:251:8 | s6 | string.cpp:234:11:234:25 | call to source |
-| string.cpp:264:7:264:8 | b2 | string.cpp:258:17:258:22 | call to source |
-| string.cpp:274:7:274:8 | s2 | string.cpp:269:17:269:22 | call to source |
-| string.cpp:276:7:276:8 | s4 | string.cpp:271:17:271:22 | call to source |
-| string.cpp:281:7:281:8 | s1 | string.cpp:269:17:269:22 | call to source |
-| string.cpp:282:7:282:8 | s2 | string.cpp:269:17:269:22 | call to source |
-| string.cpp:283:7:283:8 | s3 | string.cpp:271:17:271:22 | call to source |
-| string.cpp:284:7:284:8 | s4 | string.cpp:271:17:271:22 | call to source |
-| string.cpp:292:7:292:8 | s1 | string.cpp:288:17:288:22 | call to source |
-| string.cpp:293:7:293:8 | s2 | string.cpp:289:17:289:22 | call to source |
-| string.cpp:294:7:294:8 | s3 | string.cpp:290:17:290:22 | call to source |
-| string.cpp:300:7:300:8 | s1 | string.cpp:288:17:288:22 | call to source |
-| string.cpp:302:7:302:8 | s3 | string.cpp:290:17:290:22 | call to source |
-| string.cpp:311:9:311:12 | call to data | string.cpp:308:16:308:21 | call to source |
-| string.cpp:322:9:322:14 | call to substr | string.cpp:319:16:319:21 | call to source |
-| string.cpp:339:7:339:7 | a | string.cpp:335:9:335:23 | call to source |
-| string.cpp:340:7:340:7 | b | string.cpp:336:12:336:26 | call to source |
-| string.cpp:341:7:341:7 | c | string.cpp:335:9:335:23 | call to source |
-| string.cpp:349:7:349:9 | str | string.cpp:348:18:348:32 | call to source |
-| string.cpp:350:11:350:14 | call to data | string.cpp:348:18:348:32 | call to source |
-| string.cpp:361:11:361:16 | call to append | string.cpp:356:18:356:23 | call to source |
-| string.cpp:362:8:362:9 | s1 | string.cpp:356:18:356:23 | call to source |
-| string.cpp:380:8:380:8 | call to operator* | string.cpp:372:18:372:23 | call to source |
-| string.cpp:381:13:381:13 | call to operator[] | string.cpp:372:18:372:23 | call to source |
-| string.cpp:394:8:394:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:395:8:395:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:397:8:397:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:399:8:399:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:402:8:402:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:405:8:405:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:407:8:407:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:409:8:409:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:413:8:413:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:427:10:427:15 | call to insert | string.cpp:422:14:422:19 | call to source |
-| string.cpp:428:7:428:8 | s2 | string.cpp:422:14:422:19 | call to source |
-| string.cpp:442:10:442:15 | call to insert | string.cpp:442:32:442:46 | call to source |
-| string.cpp:443:8:443:8 | b | string.cpp:442:32:442:46 | call to source |
-| string.cpp:455:10:455:15 | call to insert | string.cpp:450:18:450:23 | call to source |
-| string.cpp:456:8:456:8 | d | string.cpp:450:18:450:23 | call to source |
-| string.cpp:458:11:458:16 | call to insert | string.cpp:450:18:450:23 | call to source |
-| string.cpp:459:8:459:9 | s2 | string.cpp:450:18:450:23 | call to source |
-| string.cpp:471:10:471:15 | call to append | string.cpp:466:18:466:23 | call to source |
-| string.cpp:472:8:472:8 | f | string.cpp:466:18:466:23 | call to source |
-| string.cpp:474:11:474:16 | call to append | string.cpp:466:18:466:23 | call to source |
-| string.cpp:475:8:475:9 | s4 | string.cpp:466:18:466:23 | call to source |
-| string.cpp:487:10:487:15 | call to assign | string.cpp:482:18:482:23 | call to source |
-| string.cpp:488:8:488:8 | h | string.cpp:482:18:482:23 | call to source |
-| string.cpp:491:8:491:9 | s6 | string.cpp:482:18:482:23 | call to source |
-| string.cpp:504:7:504:8 | s2 | string.cpp:497:14:497:19 | call to source |
-| string.cpp:506:7:506:8 | s4 | string.cpp:497:14:497:19 | call to source |
-| string.cpp:515:9:515:13 | call to front | string.cpp:514:14:514:28 | call to source |
-| string.cpp:516:9:516:12 | call to back | string.cpp:514:14:514:28 | call to source |
-| string.cpp:529:11:529:11 | call to operator+= | string.cpp:529:20:529:25 | call to source |
-| string.cpp:530:21:530:21 | call to operator+= | string.cpp:530:24:530:29 | call to source |
-| string.cpp:531:25:531:25 | call to operator+= | string.cpp:531:15:531:20 | call to source |
-| string.cpp:534:8:534:8 | c | string.cpp:529:20:529:25 | call to source |
-| string.cpp:535:8:535:8 | d | string.cpp:529:20:529:25 | call to source |
-| string.cpp:536:8:536:8 | e | string.cpp:530:24:530:29 | call to source |
-| string.cpp:537:8:537:8 | f | string.cpp:531:15:531:20 | call to source |
-| string.cpp:549:11:549:16 | call to assign | string.cpp:549:27:549:32 | call to source |
-| string.cpp:550:24:550:29 | call to assign | string.cpp:550:31:550:36 | call to source |
-| string.cpp:554:8:554:8 | c | string.cpp:549:27:549:32 | call to source |
-| string.cpp:555:8:555:8 | d | string.cpp:549:27:549:32 | call to source |
-| string.cpp:556:8:556:8 | e | string.cpp:550:31:550:36 | call to source |
-| string.cpp:557:8:557:8 | f | string.cpp:551:18:551:23 | call to source |
+| string.cpp:29:7:29:7 | a | string.cpp:25:12:25:17 | call to source |
+| string.cpp:31:7:31:7 | c | string.cpp:27:16:27:21 | call to source |
+| string.cpp:33:9:33:13 | call to c_str | string.cpp:27:16:27:21 | call to source |
+| string.cpp:39:13:39:17 | call to c_str | string.cpp:14:10:14:15 | call to source |
+| string.cpp:43:13:43:17 | call to c_str | string.cpp:14:10:14:15 | call to source |
+| string.cpp:46:13:46:17 | call to c_str | string.cpp:14:10:14:15 | call to source |
+| string.cpp:56:7:56:8 | cs | string.cpp:51:19:51:24 | call to source |
+| string.cpp:57:7:57:8 | ss | string.cpp:51:19:51:24 | call to source |
+| string.cpp:70:7:70:8 | cs | string.cpp:62:19:62:24 | call to source |
+| string.cpp:71:7:71:8 | ss | string.cpp:62:19:62:24 | call to source |
+| string.cpp:93:8:93:9 | s1 | string.cpp:88:18:88:23 | call to source |
+| string.cpp:94:8:94:9 | s2 | string.cpp:89:20:89:25 | call to source |
+| string.cpp:95:8:95:9 | s3 | string.cpp:91:8:91:13 | call to source |
+| string.cpp:114:8:114:9 | s1 | string.cpp:110:32:110:37 | call to source |
+| string.cpp:115:8:115:9 | s2 | string.cpp:112:20:112:25 | call to source |
+| string.cpp:122:8:122:8 | c | string.cpp:120:16:120:21 | call to source |
+| string.cpp:126:8:126:8 | call to operator* | string.cpp:120:16:120:21 | call to source |
+| string.cpp:130:8:130:8 | c | string.cpp:120:16:120:21 | call to source |
+| string.cpp:135:8:135:8 | c | string.cpp:133:28:133:33 | call to source |
+| string.cpp:145:11:145:11 | call to operator+ | string.cpp:142:18:142:23 | call to source |
+| string.cpp:146:11:146:11 | call to operator+ | string.cpp:142:18:142:23 | call to source |
+| string.cpp:147:11:147:11 | call to operator+ | string.cpp:142:18:142:23 | call to source |
+| string.cpp:150:11:150:11 | call to operator+ | string.cpp:150:13:150:18 | call to source |
+| string.cpp:159:8:159:9 | s5 | string.cpp:155:18:155:23 | call to source |
+| string.cpp:162:11:162:11 | call to operator+= | string.cpp:155:18:155:23 | call to source |
+| string.cpp:163:8:163:9 | s6 | string.cpp:155:18:155:23 | call to source |
+| string.cpp:166:11:166:11 | call to operator+= | string.cpp:166:14:166:19 | call to source |
+| string.cpp:167:11:167:11 | call to operator+= | string.cpp:166:14:166:19 | call to source |
+| string.cpp:168:8:168:9 | s7 | string.cpp:166:14:166:19 | call to source |
+| string.cpp:172:8:172:9 | s8 | string.cpp:155:18:155:23 | call to source |
+| string.cpp:177:8:177:9 | s9 | string.cpp:175:13:175:18 | call to source |
+| string.cpp:185:8:185:10 | s10 | string.cpp:182:12:182:26 | call to source |
+| string.cpp:199:10:199:15 | call to assign | string.cpp:191:17:191:22 | call to source |
+| string.cpp:200:7:200:8 | s4 | string.cpp:191:17:191:22 | call to source |
+| string.cpp:202:10:202:15 | call to assign | string.cpp:192:11:192:25 | call to source |
+| string.cpp:203:7:203:8 | s5 | string.cpp:192:11:192:25 | call to source |
+| string.cpp:206:7:206:8 | s6 | string.cpp:194:17:194:22 | call to source |
+| string.cpp:220:10:220:15 | call to insert | string.cpp:211:17:211:22 | call to source |
+| string.cpp:221:7:221:8 | s4 | string.cpp:211:17:211:22 | call to source |
+| string.cpp:224:10:224:15 | call to insert | string.cpp:211:17:211:22 | call to source |
+| string.cpp:225:7:225:8 | s5 | string.cpp:211:17:211:22 | call to source |
+| string.cpp:228:10:228:15 | call to insert | string.cpp:212:11:212:25 | call to source |
+| string.cpp:229:7:229:8 | s6 | string.cpp:212:11:212:25 | call to source |
+| string.cpp:243:10:243:16 | call to replace | string.cpp:234:17:234:22 | call to source |
+| string.cpp:244:7:244:8 | s4 | string.cpp:234:17:234:22 | call to source |
+| string.cpp:247:10:247:16 | call to replace | string.cpp:234:17:234:22 | call to source |
+| string.cpp:248:7:248:8 | s5 | string.cpp:234:17:234:22 | call to source |
+| string.cpp:251:10:251:16 | call to replace | string.cpp:235:11:235:25 | call to source |
+| string.cpp:252:7:252:8 | s6 | string.cpp:235:11:235:25 | call to source |
+| string.cpp:265:7:265:8 | b2 | string.cpp:259:17:259:22 | call to source |
+| string.cpp:275:7:275:8 | s2 | string.cpp:270:17:270:22 | call to source |
+| string.cpp:277:7:277:8 | s4 | string.cpp:272:17:272:22 | call to source |
+| string.cpp:282:7:282:8 | s1 | string.cpp:270:17:270:22 | call to source |
+| string.cpp:283:7:283:8 | s2 | string.cpp:270:17:270:22 | call to source |
+| string.cpp:284:7:284:8 | s3 | string.cpp:272:17:272:22 | call to source |
+| string.cpp:285:7:285:8 | s4 | string.cpp:272:17:272:22 | call to source |
+| string.cpp:293:7:293:8 | s1 | string.cpp:289:17:289:22 | call to source |
+| string.cpp:294:7:294:8 | s2 | string.cpp:290:17:290:22 | call to source |
+| string.cpp:295:7:295:8 | s3 | string.cpp:291:17:291:22 | call to source |
+| string.cpp:301:7:301:8 | s1 | string.cpp:289:17:289:22 | call to source |
+| string.cpp:303:7:303:8 | s3 | string.cpp:291:17:291:22 | call to source |
+| string.cpp:312:9:312:12 | call to data | string.cpp:309:16:309:21 | call to source |
+| string.cpp:323:9:323:14 | call to substr | string.cpp:320:16:320:21 | call to source |
+| string.cpp:340:7:340:7 | a | string.cpp:336:9:336:23 | call to source |
+| string.cpp:341:7:341:7 | b | string.cpp:337:12:337:26 | call to source |
+| string.cpp:342:7:342:7 | c | string.cpp:336:9:336:23 | call to source |
+| string.cpp:350:7:350:9 | str | string.cpp:349:18:349:32 | call to source |
+| string.cpp:351:11:351:14 | call to data | string.cpp:349:18:349:32 | call to source |
+| string.cpp:363:11:363:16 | call to append | string.cpp:358:18:358:23 | call to source |
+| string.cpp:364:8:364:9 | s1 | string.cpp:358:18:358:23 | call to source |
+| string.cpp:382:8:382:8 | call to operator* | string.cpp:374:18:374:23 | call to source |
+| string.cpp:383:13:383:13 | call to operator[] | string.cpp:374:18:374:23 | call to source |
+| string.cpp:396:8:396:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:397:8:397:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:399:8:399:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:401:8:401:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:404:8:404:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:407:8:407:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:409:8:409:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:411:8:411:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:415:8:415:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:418:8:418:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:419:8:419:10 | call to iterator | string.cpp:389:18:389:23 | call to source |
+| string.cpp:421:8:421:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:422:8:422:10 | call to iterator | string.cpp:389:18:389:23 | call to source |
+| string.cpp:436:10:436:15 | call to insert | string.cpp:431:14:431:19 | call to source |
+| string.cpp:437:7:437:8 | s2 | string.cpp:431:14:431:19 | call to source |
+| string.cpp:449:10:449:15 | call to insert | string.cpp:449:32:449:46 | call to source |
+| string.cpp:450:8:450:8 | b | string.cpp:449:32:449:46 | call to source |
+| string.cpp:462:10:462:15 | call to insert | string.cpp:457:18:457:23 | call to source |
+| string.cpp:463:8:463:8 | d | string.cpp:457:18:457:23 | call to source |
+| string.cpp:465:11:465:16 | call to insert | string.cpp:457:18:457:23 | call to source |
+| string.cpp:466:8:466:9 | s2 | string.cpp:457:18:457:23 | call to source |
+| string.cpp:478:10:478:15 | call to append | string.cpp:473:18:473:23 | call to source |
+| string.cpp:479:8:479:8 | f | string.cpp:473:18:473:23 | call to source |
+| string.cpp:481:11:481:16 | call to append | string.cpp:473:18:473:23 | call to source |
+| string.cpp:482:8:482:9 | s4 | string.cpp:473:18:473:23 | call to source |
+| string.cpp:494:10:494:15 | call to assign | string.cpp:489:18:489:23 | call to source |
+| string.cpp:495:8:495:8 | h | string.cpp:489:18:489:23 | call to source |
+| string.cpp:498:8:498:9 | s6 | string.cpp:489:18:489:23 | call to source |
+| string.cpp:511:7:511:8 | s2 | string.cpp:504:14:504:19 | call to source |
+| string.cpp:513:7:513:8 | s4 | string.cpp:504:14:504:19 | call to source |
+| string.cpp:522:9:522:13 | call to front | string.cpp:521:14:521:28 | call to source |
+| string.cpp:523:9:523:12 | call to back | string.cpp:521:14:521:28 | call to source |
+| string.cpp:536:11:536:11 | call to operator+= | string.cpp:536:20:536:25 | call to source |
+| string.cpp:537:21:537:21 | call to operator+= | string.cpp:537:24:537:29 | call to source |
+| string.cpp:538:25:538:25 | call to operator+= | string.cpp:538:15:538:20 | call to source |
+| string.cpp:541:8:541:8 | c | string.cpp:536:20:536:25 | call to source |
+| string.cpp:542:8:542:8 | d | string.cpp:536:20:536:25 | call to source |
+| string.cpp:543:8:543:8 | e | string.cpp:537:24:537:29 | call to source |
+| string.cpp:544:8:544:8 | f | string.cpp:538:15:538:20 | call to source |
+| string.cpp:556:11:556:16 | call to assign | string.cpp:556:27:556:32 | call to source |
+| string.cpp:557:24:557:29 | call to assign | string.cpp:557:31:557:36 | call to source |
+| string.cpp:561:8:561:8 | c | string.cpp:556:27:556:32 | call to source |
+| string.cpp:562:8:562:8 | d | string.cpp:556:27:556:32 | call to source |
+| string.cpp:563:8:563:8 | e | string.cpp:557:31:557:36 | call to source |
+| string.cpp:564:8:564:8 | f | string.cpp:558:18:558:23 | call to source |
 | stringstream.cpp:32:11:32:11 | call to operator<< | stringstream.cpp:32:14:32:19 | call to source |
 | stringstream.cpp:33:20:33:20 | call to operator<< | stringstream.cpp:33:23:33:28 | call to source |
 | stringstream.cpp:34:23:34:23 | call to operator<< | stringstream.cpp:34:14:34:19 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -110,59 +110,63 @@
 | standalone_iterators.cpp:42:10:42:10 | standalone_iterators.cpp:39:45:39:51 | AST only |
 | standalone_iterators.cpp:47:10:47:10 | standalone_iterators.cpp:45:39:45:45 | AST only |
 | standalone_iterators.cpp:48:10:48:10 | standalone_iterators.cpp:45:39:45:45 | AST only |
-| string.cpp:32:9:32:13 | string.cpp:26:16:26:21 | AST only |
-| string.cpp:38:13:38:17 | string.cpp:14:10:14:15 | AST only |
-| string.cpp:42:13:42:17 | string.cpp:14:10:14:15 | AST only |
-| string.cpp:45:13:45:17 | string.cpp:14:10:14:15 | AST only |
-| string.cpp:69:7:69:8 | string.cpp:61:19:61:24 | AST only |
-| string.cpp:125:8:125:11 | string.cpp:119:16:119:21 | IR only |
-| string.cpp:161:11:161:11 | string.cpp:154:18:154:23 | AST only |
-| string.cpp:165:11:165:11 | string.cpp:165:14:165:19 | AST only |
-| string.cpp:166:11:166:11 | string.cpp:165:14:165:19 | AST only |
-| string.cpp:198:10:198:15 | string.cpp:190:17:190:22 | AST only |
-| string.cpp:201:10:201:15 | string.cpp:191:11:191:25 | AST only |
-| string.cpp:219:10:219:15 | string.cpp:210:17:210:22 | AST only |
-| string.cpp:223:10:223:15 | string.cpp:210:17:210:22 | AST only |
-| string.cpp:227:10:227:15 | string.cpp:211:11:211:25 | AST only |
-| string.cpp:242:10:242:16 | string.cpp:233:17:233:22 | AST only |
-| string.cpp:246:10:246:16 | string.cpp:233:17:233:22 | AST only |
-| string.cpp:250:10:250:16 | string.cpp:234:11:234:25 | AST only |
-| string.cpp:311:9:311:12 | string.cpp:308:16:308:21 | AST only |
-| string.cpp:339:7:339:7 | string.cpp:335:9:335:23 | AST only |
-| string.cpp:340:7:340:7 | string.cpp:336:12:336:26 | AST only |
-| string.cpp:341:7:341:7 | string.cpp:335:9:335:23 | AST only |
-| string.cpp:349:7:349:9 | string.cpp:348:18:348:32 | AST only |
-| string.cpp:350:11:350:14 | string.cpp:348:18:348:32 | AST only |
-| string.cpp:361:11:361:16 | string.cpp:356:18:356:23 | AST only |
-| string.cpp:380:8:380:14 | string.cpp:372:18:372:23 | IR only |
-| string.cpp:381:13:381:15 | string.cpp:372:18:372:23 | IR only |
-| string.cpp:394:8:394:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:395:8:395:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:397:8:397:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:399:8:399:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:402:8:402:11 | string.cpp:387:18:387:23 | IR only |
-| string.cpp:405:8:405:11 | string.cpp:387:18:387:23 | IR only |
-| string.cpp:407:8:407:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:409:8:409:8 | string.cpp:387:18:387:23 | AST only |
-| string.cpp:413:8:413:11 | string.cpp:387:18:387:23 | IR only |
-| string.cpp:427:10:427:15 | string.cpp:422:14:422:19 | AST only |
-| string.cpp:442:10:442:15 | string.cpp:442:32:442:46 | AST only |
-| string.cpp:455:10:455:15 | string.cpp:450:18:450:23 | AST only |
-| string.cpp:458:11:458:16 | string.cpp:450:18:450:23 | AST only |
-| string.cpp:471:10:471:15 | string.cpp:466:18:466:23 | AST only |
-| string.cpp:474:11:474:16 | string.cpp:466:18:466:23 | AST only |
-| string.cpp:487:10:487:15 | string.cpp:482:18:482:23 | AST only |
-| string.cpp:515:9:515:13 | string.cpp:514:14:514:28 | AST only |
-| string.cpp:516:9:516:12 | string.cpp:514:14:514:28 | AST only |
-| string.cpp:529:11:529:11 | string.cpp:529:20:529:25 | AST only |
-| string.cpp:530:21:530:21 | string.cpp:530:24:530:29 | AST only |
-| string.cpp:531:25:531:25 | string.cpp:531:15:531:20 | AST only |
-| string.cpp:534:8:534:8 | string.cpp:529:20:529:25 | AST only |
-| string.cpp:536:8:536:8 | string.cpp:530:24:530:29 | AST only |
-| string.cpp:549:11:549:16 | string.cpp:549:27:549:32 | AST only |
-| string.cpp:550:24:550:29 | string.cpp:550:31:550:36 | AST only |
-| string.cpp:554:8:554:8 | string.cpp:549:27:549:32 | AST only |
-| string.cpp:556:8:556:8 | string.cpp:550:31:550:36 | AST only |
+| string.cpp:33:9:33:13 | string.cpp:27:16:27:21 | AST only |
+| string.cpp:39:13:39:17 | string.cpp:14:10:14:15 | AST only |
+| string.cpp:43:13:43:17 | string.cpp:14:10:14:15 | AST only |
+| string.cpp:46:13:46:17 | string.cpp:14:10:14:15 | AST only |
+| string.cpp:70:7:70:8 | string.cpp:62:19:62:24 | AST only |
+| string.cpp:126:8:126:11 | string.cpp:120:16:120:21 | IR only |
+| string.cpp:162:11:162:11 | string.cpp:155:18:155:23 | AST only |
+| string.cpp:166:11:166:11 | string.cpp:166:14:166:19 | AST only |
+| string.cpp:167:11:167:11 | string.cpp:166:14:166:19 | AST only |
+| string.cpp:199:10:199:15 | string.cpp:191:17:191:22 | AST only |
+| string.cpp:202:10:202:15 | string.cpp:192:11:192:25 | AST only |
+| string.cpp:220:10:220:15 | string.cpp:211:17:211:22 | AST only |
+| string.cpp:224:10:224:15 | string.cpp:211:17:211:22 | AST only |
+| string.cpp:228:10:228:15 | string.cpp:212:11:212:25 | AST only |
+| string.cpp:243:10:243:16 | string.cpp:234:17:234:22 | AST only |
+| string.cpp:247:10:247:16 | string.cpp:234:17:234:22 | AST only |
+| string.cpp:251:10:251:16 | string.cpp:235:11:235:25 | AST only |
+| string.cpp:312:9:312:12 | string.cpp:309:16:309:21 | AST only |
+| string.cpp:340:7:340:7 | string.cpp:336:9:336:23 | AST only |
+| string.cpp:341:7:341:7 | string.cpp:337:12:337:26 | AST only |
+| string.cpp:342:7:342:7 | string.cpp:336:9:336:23 | AST only |
+| string.cpp:350:7:350:9 | string.cpp:349:18:349:32 | AST only |
+| string.cpp:351:11:351:14 | string.cpp:349:18:349:32 | AST only |
+| string.cpp:363:11:363:16 | string.cpp:358:18:358:23 | AST only |
+| string.cpp:382:8:382:14 | string.cpp:374:18:374:23 | IR only |
+| string.cpp:383:13:383:15 | string.cpp:374:18:374:23 | IR only |
+| string.cpp:396:8:396:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:397:8:397:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:399:8:399:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:401:8:401:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:404:8:404:11 | string.cpp:389:18:389:23 | IR only |
+| string.cpp:407:8:407:11 | string.cpp:389:18:389:23 | IR only |
+| string.cpp:409:8:409:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:411:8:411:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:415:8:415:11 | string.cpp:389:18:389:23 | IR only |
+| string.cpp:418:8:418:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:419:8:419:10 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:421:8:421:8 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:422:8:422:10 | string.cpp:389:18:389:23 | AST only |
+| string.cpp:436:10:436:15 | string.cpp:431:14:431:19 | AST only |
+| string.cpp:449:10:449:15 | string.cpp:449:32:449:46 | AST only |
+| string.cpp:462:10:462:15 | string.cpp:457:18:457:23 | AST only |
+| string.cpp:465:11:465:16 | string.cpp:457:18:457:23 | AST only |
+| string.cpp:478:10:478:15 | string.cpp:473:18:473:23 | AST only |
+| string.cpp:481:11:481:16 | string.cpp:473:18:473:23 | AST only |
+| string.cpp:494:10:494:15 | string.cpp:489:18:489:23 | AST only |
+| string.cpp:522:9:522:13 | string.cpp:521:14:521:28 | AST only |
+| string.cpp:523:9:523:12 | string.cpp:521:14:521:28 | AST only |
+| string.cpp:536:11:536:11 | string.cpp:536:20:536:25 | AST only |
+| string.cpp:537:21:537:21 | string.cpp:537:24:537:29 | AST only |
+| string.cpp:538:25:538:25 | string.cpp:538:15:538:20 | AST only |
+| string.cpp:541:8:541:8 | string.cpp:536:20:536:25 | AST only |
+| string.cpp:543:8:543:8 | string.cpp:537:24:537:29 | AST only |
+| string.cpp:556:11:556:16 | string.cpp:556:27:556:32 | AST only |
+| string.cpp:557:24:557:29 | string.cpp:557:31:557:36 | AST only |
+| string.cpp:561:8:561:8 | string.cpp:556:27:556:32 | AST only |
+| string.cpp:563:8:563:8 | string.cpp:557:31:557:36 | AST only |
 | stringstream.cpp:32:11:32:22 | stringstream.cpp:32:14:32:19 | IR only |
 | stringstream.cpp:33:20:33:31 | stringstream.cpp:33:23:33:28 | IR only |
 | stringstream.cpp:34:23:34:31 | stringstream.cpp:34:14:34:19 | IR only |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_ir.expected
@@ -118,80 +118,80 @@
 | smart_pointer.cpp:57:12:57:14 | call to get | smart_pointer.cpp:56:52:56:57 | call to source |
 | standalone_iterators.cpp:40:10:40:10 | call to operator* | standalone_iterators.cpp:39:45:39:51 | source1 |
 | standalone_iterators.cpp:46:10:46:10 | call to operator* | standalone_iterators.cpp:45:39:45:45 | source1 |
-| string.cpp:28:7:28:7 | a | string.cpp:24:12:24:17 | call to source |
-| string.cpp:30:7:30:7 | Argument 0 indirection | string.cpp:26:16:26:21 | call to source |
-| string.cpp:55:7:55:8 | cs | string.cpp:50:19:50:24 | call to source |
-| string.cpp:56:7:56:8 | Argument 0 indirection | string.cpp:50:19:50:24 | call to source |
-| string.cpp:70:7:70:8 | Argument 0 indirection | string.cpp:61:19:61:24 | call to source |
-| string.cpp:92:8:92:9 | Argument 0 indirection | string.cpp:87:18:87:23 | call to source |
-| string.cpp:93:8:93:9 | Argument 0 indirection | string.cpp:88:20:88:25 | call to source |
-| string.cpp:94:8:94:9 | Argument 0 indirection | string.cpp:90:8:90:13 | call to source |
-| string.cpp:113:8:113:9 | Argument 0 indirection | string.cpp:109:32:109:37 | call to source |
-| string.cpp:114:8:114:9 | Argument 0 indirection | string.cpp:111:20:111:25 | call to source |
-| string.cpp:121:8:121:8 | c | string.cpp:119:16:119:21 | call to source |
-| string.cpp:125:8:125:8 | call to operator* | string.cpp:119:16:119:21 | call to source |
-| string.cpp:125:8:125:11 | (reference dereference) | string.cpp:119:16:119:21 | call to source |
-| string.cpp:129:8:129:8 | (reference dereference) | string.cpp:119:16:119:21 | call to source |
-| string.cpp:129:8:129:8 | c | string.cpp:119:16:119:21 | call to source |
-| string.cpp:134:8:134:8 | (reference dereference) | string.cpp:132:28:132:33 | call to source |
-| string.cpp:134:8:134:8 | c | string.cpp:132:28:132:33 | call to source |
-| string.cpp:144:11:144:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
-| string.cpp:145:11:145:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
-| string.cpp:146:11:146:11 | call to operator+ | string.cpp:141:18:141:23 | call to source |
-| string.cpp:149:11:149:11 | call to operator+ | string.cpp:149:13:149:18 | call to source |
-| string.cpp:158:8:158:9 | Argument 0 indirection | string.cpp:154:18:154:23 | call to source |
-| string.cpp:162:8:162:9 | Argument 0 indirection | string.cpp:154:18:154:23 | call to source |
-| string.cpp:167:8:167:9 | Argument 0 indirection | string.cpp:165:14:165:19 | call to source |
-| string.cpp:171:8:171:9 | Argument 0 indirection | string.cpp:154:18:154:23 | call to source |
-| string.cpp:176:8:176:9 | Argument 0 indirection | string.cpp:174:13:174:18 | call to source |
-| string.cpp:184:8:184:10 | Argument 0 indirection | string.cpp:181:12:181:26 | call to source |
-| string.cpp:199:7:199:8 | Argument 0 indirection | string.cpp:190:17:190:22 | call to source |
-| string.cpp:202:7:202:8 | Argument 0 indirection | string.cpp:191:11:191:25 | call to source |
-| string.cpp:205:7:205:8 | Argument 0 indirection | string.cpp:193:17:193:22 | call to source |
-| string.cpp:220:7:220:8 | Argument 0 indirection | string.cpp:210:17:210:22 | call to source |
-| string.cpp:224:7:224:8 | Argument 0 indirection | string.cpp:210:17:210:22 | call to source |
-| string.cpp:228:7:228:8 | Argument 0 indirection | string.cpp:211:11:211:25 | call to source |
-| string.cpp:243:7:243:8 | Argument 0 indirection | string.cpp:233:17:233:22 | call to source |
-| string.cpp:247:7:247:8 | Argument 0 indirection | string.cpp:233:17:233:22 | call to source |
-| string.cpp:251:7:251:8 | Argument 0 indirection | string.cpp:234:11:234:25 | call to source |
-| string.cpp:264:7:264:8 | Argument 0 indirection | string.cpp:258:17:258:22 | call to source |
-| string.cpp:274:7:274:8 | Argument 0 indirection | string.cpp:269:17:269:22 | call to source |
-| string.cpp:276:7:276:8 | Argument 0 indirection | string.cpp:271:17:271:22 | call to source |
-| string.cpp:281:7:281:8 | Argument 0 indirection | string.cpp:269:17:269:22 | call to source |
-| string.cpp:282:7:282:8 | Argument 0 indirection | string.cpp:269:17:269:22 | call to source |
-| string.cpp:283:7:283:8 | Argument 0 indirection | string.cpp:271:17:271:22 | call to source |
-| string.cpp:284:7:284:8 | Argument 0 indirection | string.cpp:271:17:271:22 | call to source |
-| string.cpp:292:7:292:8 | Argument 0 indirection | string.cpp:288:17:288:22 | call to source |
+| string.cpp:29:7:29:7 | a | string.cpp:25:12:25:17 | call to source |
+| string.cpp:31:7:31:7 | Argument 0 indirection | string.cpp:27:16:27:21 | call to source |
+| string.cpp:56:7:56:8 | cs | string.cpp:51:19:51:24 | call to source |
+| string.cpp:57:7:57:8 | Argument 0 indirection | string.cpp:51:19:51:24 | call to source |
+| string.cpp:71:7:71:8 | Argument 0 indirection | string.cpp:62:19:62:24 | call to source |
+| string.cpp:93:8:93:9 | Argument 0 indirection | string.cpp:88:18:88:23 | call to source |
+| string.cpp:94:8:94:9 | Argument 0 indirection | string.cpp:89:20:89:25 | call to source |
+| string.cpp:95:8:95:9 | Argument 0 indirection | string.cpp:91:8:91:13 | call to source |
+| string.cpp:114:8:114:9 | Argument 0 indirection | string.cpp:110:32:110:37 | call to source |
+| string.cpp:115:8:115:9 | Argument 0 indirection | string.cpp:112:20:112:25 | call to source |
+| string.cpp:122:8:122:8 | c | string.cpp:120:16:120:21 | call to source |
+| string.cpp:126:8:126:8 | call to operator* | string.cpp:120:16:120:21 | call to source |
+| string.cpp:126:8:126:11 | (reference dereference) | string.cpp:120:16:120:21 | call to source |
+| string.cpp:130:8:130:8 | (reference dereference) | string.cpp:120:16:120:21 | call to source |
+| string.cpp:130:8:130:8 | c | string.cpp:120:16:120:21 | call to source |
+| string.cpp:135:8:135:8 | (reference dereference) | string.cpp:133:28:133:33 | call to source |
+| string.cpp:135:8:135:8 | c | string.cpp:133:28:133:33 | call to source |
+| string.cpp:145:11:145:11 | call to operator+ | string.cpp:142:18:142:23 | call to source |
+| string.cpp:146:11:146:11 | call to operator+ | string.cpp:142:18:142:23 | call to source |
+| string.cpp:147:11:147:11 | call to operator+ | string.cpp:142:18:142:23 | call to source |
+| string.cpp:150:11:150:11 | call to operator+ | string.cpp:150:13:150:18 | call to source |
+| string.cpp:159:8:159:9 | Argument 0 indirection | string.cpp:155:18:155:23 | call to source |
+| string.cpp:163:8:163:9 | Argument 0 indirection | string.cpp:155:18:155:23 | call to source |
+| string.cpp:168:8:168:9 | Argument 0 indirection | string.cpp:166:14:166:19 | call to source |
+| string.cpp:172:8:172:9 | Argument 0 indirection | string.cpp:155:18:155:23 | call to source |
+| string.cpp:177:8:177:9 | Argument 0 indirection | string.cpp:175:13:175:18 | call to source |
+| string.cpp:185:8:185:10 | Argument 0 indirection | string.cpp:182:12:182:26 | call to source |
+| string.cpp:200:7:200:8 | Argument 0 indirection | string.cpp:191:17:191:22 | call to source |
+| string.cpp:203:7:203:8 | Argument 0 indirection | string.cpp:192:11:192:25 | call to source |
+| string.cpp:206:7:206:8 | Argument 0 indirection | string.cpp:194:17:194:22 | call to source |
+| string.cpp:221:7:221:8 | Argument 0 indirection | string.cpp:211:17:211:22 | call to source |
+| string.cpp:225:7:225:8 | Argument 0 indirection | string.cpp:211:17:211:22 | call to source |
+| string.cpp:229:7:229:8 | Argument 0 indirection | string.cpp:212:11:212:25 | call to source |
+| string.cpp:244:7:244:8 | Argument 0 indirection | string.cpp:234:17:234:22 | call to source |
+| string.cpp:248:7:248:8 | Argument 0 indirection | string.cpp:234:17:234:22 | call to source |
+| string.cpp:252:7:252:8 | Argument 0 indirection | string.cpp:235:11:235:25 | call to source |
+| string.cpp:265:7:265:8 | Argument 0 indirection | string.cpp:259:17:259:22 | call to source |
+| string.cpp:275:7:275:8 | Argument 0 indirection | string.cpp:270:17:270:22 | call to source |
+| string.cpp:277:7:277:8 | Argument 0 indirection | string.cpp:272:17:272:22 | call to source |
+| string.cpp:282:7:282:8 | Argument 0 indirection | string.cpp:270:17:270:22 | call to source |
+| string.cpp:283:7:283:8 | Argument 0 indirection | string.cpp:270:17:270:22 | call to source |
+| string.cpp:284:7:284:8 | Argument 0 indirection | string.cpp:272:17:272:22 | call to source |
+| string.cpp:285:7:285:8 | Argument 0 indirection | string.cpp:272:17:272:22 | call to source |
 | string.cpp:293:7:293:8 | Argument 0 indirection | string.cpp:289:17:289:22 | call to source |
 | string.cpp:294:7:294:8 | Argument 0 indirection | string.cpp:290:17:290:22 | call to source |
-| string.cpp:300:7:300:8 | Argument 0 indirection | string.cpp:288:17:288:22 | call to source |
-| string.cpp:302:7:302:8 | Argument 0 indirection | string.cpp:290:17:290:22 | call to source |
-| string.cpp:322:9:322:14 | call to substr | string.cpp:319:16:319:21 | call to source |
-| string.cpp:362:8:362:9 | Argument 0 indirection | string.cpp:356:18:356:23 | call to source |
-| string.cpp:380:8:380:8 | call to operator* | string.cpp:372:18:372:23 | call to source |
-| string.cpp:380:8:380:14 | (reference dereference) | string.cpp:372:18:372:23 | call to source |
-| string.cpp:381:13:381:13 | call to operator[] | string.cpp:372:18:372:23 | call to source |
-| string.cpp:381:13:381:15 | (reference dereference) | string.cpp:372:18:372:23 | call to source |
-| string.cpp:402:8:402:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:402:8:402:11 | (reference dereference) | string.cpp:387:18:387:23 | call to source |
-| string.cpp:405:8:405:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:405:8:405:11 | (reference dereference) | string.cpp:387:18:387:23 | call to source |
-| string.cpp:413:8:413:8 | call to operator* | string.cpp:387:18:387:23 | call to source |
-| string.cpp:413:8:413:11 | (reference dereference) | string.cpp:387:18:387:23 | call to source |
-| string.cpp:428:7:428:8 | Argument 0 indirection | string.cpp:422:14:422:19 | call to source |
-| string.cpp:443:8:443:8 | Argument 0 indirection | string.cpp:442:32:442:46 | call to source |
-| string.cpp:456:8:456:8 | Argument 0 indirection | string.cpp:450:18:450:23 | call to source |
-| string.cpp:459:8:459:9 | Argument 0 indirection | string.cpp:450:18:450:23 | call to source |
-| string.cpp:472:8:472:8 | Argument 0 indirection | string.cpp:466:18:466:23 | call to source |
-| string.cpp:475:8:475:9 | Argument 0 indirection | string.cpp:466:18:466:23 | call to source |
-| string.cpp:488:8:488:8 | Argument 0 indirection | string.cpp:482:18:482:23 | call to source |
-| string.cpp:491:8:491:9 | Argument 0 indirection | string.cpp:482:18:482:23 | call to source |
-| string.cpp:504:7:504:8 | Argument 0 indirection | string.cpp:497:14:497:19 | call to source |
-| string.cpp:506:7:506:8 | Argument 0 indirection | string.cpp:497:14:497:19 | call to source |
-| string.cpp:535:8:535:8 | Argument 0 indirection | string.cpp:529:20:529:25 | call to source |
-| string.cpp:537:8:537:8 | Argument 0 indirection | string.cpp:531:15:531:20 | call to source |
-| string.cpp:555:8:555:8 | Argument 0 indirection | string.cpp:549:27:549:32 | call to source |
-| string.cpp:557:8:557:8 | Argument 0 indirection | string.cpp:551:18:551:23 | call to source |
+| string.cpp:295:7:295:8 | Argument 0 indirection | string.cpp:291:17:291:22 | call to source |
+| string.cpp:301:7:301:8 | Argument 0 indirection | string.cpp:289:17:289:22 | call to source |
+| string.cpp:303:7:303:8 | Argument 0 indirection | string.cpp:291:17:291:22 | call to source |
+| string.cpp:323:9:323:14 | call to substr | string.cpp:320:16:320:21 | call to source |
+| string.cpp:364:8:364:9 | Argument 0 indirection | string.cpp:358:18:358:23 | call to source |
+| string.cpp:382:8:382:8 | call to operator* | string.cpp:374:18:374:23 | call to source |
+| string.cpp:382:8:382:14 | (reference dereference) | string.cpp:374:18:374:23 | call to source |
+| string.cpp:383:13:383:13 | call to operator[] | string.cpp:374:18:374:23 | call to source |
+| string.cpp:383:13:383:15 | (reference dereference) | string.cpp:374:18:374:23 | call to source |
+| string.cpp:404:8:404:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:404:8:404:11 | (reference dereference) | string.cpp:389:18:389:23 | call to source |
+| string.cpp:407:8:407:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:407:8:407:11 | (reference dereference) | string.cpp:389:18:389:23 | call to source |
+| string.cpp:415:8:415:8 | call to operator* | string.cpp:389:18:389:23 | call to source |
+| string.cpp:415:8:415:11 | (reference dereference) | string.cpp:389:18:389:23 | call to source |
+| string.cpp:437:7:437:8 | Argument 0 indirection | string.cpp:431:14:431:19 | call to source |
+| string.cpp:450:8:450:8 | Argument 0 indirection | string.cpp:449:32:449:46 | call to source |
+| string.cpp:463:8:463:8 | Argument 0 indirection | string.cpp:457:18:457:23 | call to source |
+| string.cpp:466:8:466:9 | Argument 0 indirection | string.cpp:457:18:457:23 | call to source |
+| string.cpp:479:8:479:8 | Argument 0 indirection | string.cpp:473:18:473:23 | call to source |
+| string.cpp:482:8:482:9 | Argument 0 indirection | string.cpp:473:18:473:23 | call to source |
+| string.cpp:495:8:495:8 | Argument 0 indirection | string.cpp:489:18:489:23 | call to source |
+| string.cpp:498:8:498:9 | Argument 0 indirection | string.cpp:489:18:489:23 | call to source |
+| string.cpp:511:7:511:8 | Argument 0 indirection | string.cpp:504:14:504:19 | call to source |
+| string.cpp:513:7:513:8 | Argument 0 indirection | string.cpp:504:14:504:19 | call to source |
+| string.cpp:542:8:542:8 | Argument 0 indirection | string.cpp:536:20:536:25 | call to source |
+| string.cpp:544:8:544:8 | Argument 0 indirection | string.cpp:538:15:538:20 | call to source |
+| string.cpp:562:8:562:8 | Argument 0 indirection | string.cpp:556:27:556:32 | call to source |
+| string.cpp:564:8:564:8 | Argument 0 indirection | string.cpp:558:18:558:23 | call to source |
 | stringstream.cpp:32:11:32:11 | call to operator<< | stringstream.cpp:32:14:32:19 | call to source |
 | stringstream.cpp:32:11:32:22 | (reference dereference) | stringstream.cpp:32:14:32:19 | call to source |
 | stringstream.cpp:33:20:33:20 | call to operator<< | stringstream.cpp:33:23:33:28 | call to source |
--- a/csharp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+++ b/csharp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependencies
 * @description Count the number of dependencies a C# source file has on assembly files.
 * @kind treemap
--- a/csharp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+++ b/csharp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependency source links
 * @kind source-link
 * @metricType externalDependency
--- a/csharp/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
+++ b/csharp/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicated lines in files
 * @description The number of lines in a file, including code, comment and whitespace lines,
 *              which are duplicated in at least one other place.
--- a/csharp/ql/src/codeql-suites/csharp-lgtm-full.qls
+++ b/csharp/ql/src/codeql-suites/csharp-lgtm-full.qls
@@ -7,10 +7,7 @@
    tags contain:
      - ide-contextual-queries/local-definitions
      - ide-contextual-queries/local-references
- query: Metrics/Dependencies/ExternalDependencies.ql
- query: Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
 - query: Metrics/Files/FLinesOfCode.ql
 - query: Metrics/Files/FLinesOfCommentedCode.ql
 - query: Metrics/Files/FLinesOfComment.ql
- query: Metrics/Files/FLinesOfDuplicatedCode.ql
 - query: Metrics/Files/FNumberOfTests.ql
--- a/csharp/ql/src/external/DuplicateMethod.ql
+++ b/csharp/ql/src/external/DuplicateMethod.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate method
 * @description There is another identical implementation of this method. Extract the code to a common superclass or delegate to improve sharing.
 * @kind problem
--- a/csharp/ql/src/external/MostlyDuplicateClass.ql
+++ b/csharp/ql/src/external/MostlyDuplicateClass.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate class
 * @description More than 80% of the methods in this class are duplicated in another class. Create a common supertype to improve code sharing.
 * @kind problem
--- a/csharp/ql/src/external/MostlyDuplicateFile.ql
+++ b/csharp/ql/src/external/MostlyDuplicateFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate file
 * @description There is another file that shares a lot of the code with this file. Merge the two files to improve maintainability.
 * @kind problem
--- a/csharp/ql/src/external/MostlyDuplicateMethod.ql
+++ b/csharp/ql/src/external/MostlyDuplicateMethod.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate method
 * @description There is another method that shares a lot of the code with this method. Extract the code to a common superclass or delegate to improve sharing.
 * @kind problem
--- a/csharp/ql/src/external/MostlySimilarFile.ql
+++ b/csharp/ql/src/external/MostlySimilarFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly similar file
 * @description There is another file that shares a lot of the code with this file. Notice that names of variables and types may have been changed. Merge the two files to improve maintainability.
 * @kind problem
--- a/java/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+++ b/java/ql/src/Metrics/Dependencies/ExternalDependencies.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependencies
 * @description Count the number of dependencies a Java source file has on jar files.
 * @kind treemap
--- a/java/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+++ b/java/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependency source links
 * @kind source-link
 * @metricType externalDependency
--- a/java/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
+++ b/java/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicated lines in files
 * @description The number of lines in a file, including code, comment and whitespace lines,
 *              which are duplicated in at least one other place.
--- a/java/ql/src/Metrics/Files/FLinesOfSimilarCode.ql
+++ b/java/ql/src/Metrics/Files/FLinesOfSimilarCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Similar lines in files
 * @description The number of lines in a file, including code, comment and whitespace lines,
 *              which are similar to lines in at least one other place.
--- a/java/ql/src/codeql-suites/java-lgtm-full.qls
+++ b/java/ql/src/codeql-suites/java-lgtm-full.qls
@@ -7,10 +7,7 @@
    tags contain:
      - ide-contextual-queries/local-definitions
      - ide-contextual-queries/local-references
- query: Metrics/Dependencies/ExternalDependencies.ql
- query: Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
 - query: Metrics/Files/FLinesOfCode.ql
 - query: Metrics/Files/FLinesOfCommentedCode.ql
 - query: Metrics/Files/FLinesOfComment.ql
- query: Metrics/Files/FLinesOfDuplicatedCode.ql
 - query: Metrics/Files/FNumberOfTests.ql
--- a/java/ql/src/external/DuplicateAnonymous.ql
+++ b/java/ql/src/external/DuplicateAnonymous.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate anonymous class
 * @description Duplicated anonymous classes indicate that refactoring is necessary.
 * @kind problem
--- a/java/ql/src/external/DuplicateBlock.ql
+++ b/java/ql/src/external/DuplicateBlock.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate code
 * @description This block of code is duplicated elsewhere. If possible, the shared code should be refactored so there is only one occurrence left. It may not always be possible to address these issues; other duplicate code checks (such as duplicate function, duplicate class) give subsets of the results with higher confidence.
 * @kind problem
--- a/java/ql/src/external/DuplicateMethod.ql
+++ b/java/ql/src/external/DuplicateMethod.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate method
 * @description Duplicated methods make code more difficult to understand and introduce a risk of
 *              changes being made to only one copy.
--- a/java/ql/src/external/MostlyDuplicateClass.ql
+++ b/java/ql/src/external/MostlyDuplicateClass.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate class
 * @description Classes in which most of the methods are duplicated in another class make code more
 *              difficult to understand and introduce a risk of changes being made to only one copy.
--- a/java/ql/src/external/MostlyDuplicateFile.ql
+++ b/java/ql/src/external/MostlyDuplicateFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate file
 * @description Files in which most of the lines are duplicated in another file make code more
 *              difficult to understand and introduce a risk of changes being made to only one copy.
--- a/java/ql/src/external/MostlyDuplicateMethod.ql
+++ b/java/ql/src/external/MostlyDuplicateMethod.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate method
 * @description Methods in which most of the lines are duplicated in another method make code more
 *              difficult to understand and introduce a risk of changes being made to only one copy.
--- a/java/ql/src/external/MostlySimilarFile.ql
+++ b/java/ql/src/external/MostlySimilarFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly similar file
 * @description Files in which most of the lines are similar to those in another file make code more
 *              difficult to understand and introduce a risk of changes being made to only one copy.
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -124,6 +124,8 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
  stringBuilderStep(src, sink)
  or
  serializationStep(src, sink)
+  or
+  formatStep(src, sink)
 }

 /**
@@ -387,6 +389,9 @@ private predicate taintPreservingQualifierToMethod(Method m) {
      stringlist.getTypeArgument(0) instanceof TypeString
    )
  )
+  or
+  m.getDeclaringType() instanceof TypeFormatter and
+  m.hasName(["format", "out"])
 }

 private class StringReplaceMethod extends Method {
@@ -447,6 +452,9 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
 private predicate taintPreservingArgumentToMethod(Method method) {
  method.getDeclaringType() instanceof TypeString and
  (method.hasName("format") or method.hasName("formatted") or method.hasName("join"))
+  or
+  method.getDeclaringType() instanceof TypeFormatter and
+  method.hasName("format")
 }

 /**
@@ -625,6 +633,20 @@ private predicate argToQualifierStep(Expr tracked, Expr sink) {
    tracked = ma.getArgument(i) and
    sink = ma.getQualifier()
  )
+  or
+  exists(MethodAccess ma |
+    taintPreservingArgumentToQualifier(ma.getMethod()) and
+    tracked = ma.getAnArgument() and
+    sink = ma.getQualifier()
+  )
+}
+
+/**
+ * Holds if `method` is a method that transfers taint from any of its arguments to its qualifier.
+ */
+private predicate taintPreservingArgumentToQualifier(Method method) {
+  method.getDeclaringType() instanceof TypeFormatter and
+  method.hasName("format")
 }

 /**
@@ -722,6 +744,56 @@ class ObjectOutputStreamVar extends LocalVariableDecl {
  }
 }

+/** Flow through string formatting. */
+private predicate formatStep(Expr tracked, Expr sink) {
+  exists(FormatterVar v, VariableAssign def |
+    def = v.getADef() and
+    exists(MethodAccess ma, RValue use |
+      ma.getAnArgument() = tracked and
+      ma = v.getAFormatMethodAccess() and
+      use = ma.getQualifier() and
+      defUsePair(def, use)
+    ) and
+    exists(RValue output, ClassInstanceExpr cie |
+      cie = def.getSource() and
+      output = cie.getArgument(0) and
+      adjacentUseUse(output, sink) and
+      exists(RefType t | output.getType().(RefType).getASourceSupertype*() = t |
+        t.hasQualifiedName("java.io", "OutputStream") or
+        t.hasQualifiedName("java.lang", "Appendable")
+      )
+    )
+  )
+}
+
+/**
+ * A local variable that is assigned a `Formatter`.
+ * Writing tainted data to such a formatter causes the underlying
+ * `OutputStream` or `Appendable` to be tainted.
+ */
+private class FormatterVar extends LocalVariableDecl {
+  FormatterVar() {
+    exists(ClassInstanceExpr cie | cie = this.getAnAssignedValue() |
+      cie.getType() instanceof TypeFormatter
+    )
+  }
+
+  VariableAssign getADef() {
+    result.getSource().(ClassInstanceExpr).getType() instanceof TypeFormatter and
+    result.getDestVar() = this
+  }
+
+  MethodAccess getAFormatMethodAccess() {
+    result.getQualifier() = getAnAccess() and
+    result.getMethod().hasName("format")
+  }
+}
+
+/** The class `java.util.Formatter`. */
+private class TypeFormatter extends Class {
+  TypeFormatter() { this.hasQualifiedName("java.util", "Formatter") }
+}
+
 private import StringBuilderVarModule

 module StringBuilderVarModule {
--- a/java/ql/test/library-tests/dataflow/taint-format/A.java
+++ b/java/ql/test/library-tests/dataflow/taint-format/A.java
@@ -0,0 +1,45 @@
+import java.util.Formatter;
+import java.lang.StringBuilder;
+import java.lang.System;
+import java.io.Console;
+
+class A {
+    public static String taint() { return "tainted"; }
+
+    public static void test1() {
+        String bad = taint();
+        String good = "hi";
+
+        bad.formatted(good);
+        good.formatted("a", bad, "b", good);
+        String.format("%s%s", bad, good);
+        String.format("%s", good);
+    }
+
+    public static void test2() {
+        String bad = taint();
+        Formatter f = new Formatter();
+
+        f.toString();
+        f.format("%s", bad);
+        f.toString();
+    }
+
+    public static void test3() {
+        String bad = taint();
+        StringBuilder sb = new StringBuilder();
+        Formatter f = new Formatter(sb);
+
+        sb.toString(); // false positive
+        f.format("%s", bad);
+        sb.toString();
+    }
+
+    public static void test4() {
+        String bad = taint();
+        Console c = System.console();
+
+        c.format(bad);
+        c.readLine("Enter something: %s", bad);
+    }
+}
--- a/java/ql/test/library-tests/dataflow/taint-format/options
+++ b/java/ql/test/library-tests/dataflow/taint-format/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args --enable-preview -source 14 -target 14
--- a/java/ql/test/library-tests/dataflow/taint-format/test.expected
+++ b/java/ql/test/library-tests/dataflow/taint-format/test.expected
@@ -0,0 +1,28 @@
+| A.java:10:22:10:28 | taint(...) | A.java:10:22:10:28 | taint(...) |
+| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:11 | bad |
+| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:27 | formatted(...) |
+| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | formatted(...) |
+| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | new ..[] { .. } |
+| A.java:10:22:10:28 | taint(...) | A.java:14:29:14:31 | bad |
+| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | format(...) |
+| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | new ..[] { .. } |
+| A.java:10:22:10:28 | taint(...) | A.java:15:31:15:33 | bad |
+| A.java:20:22:20:28 | taint(...) | A.java:20:22:20:28 | taint(...) |
+| A.java:20:22:20:28 | taint(...) | A.java:24:9:24:9 | f [post update] |
+| A.java:20:22:20:28 | taint(...) | A.java:24:9:24:27 | format(...) |
+| A.java:20:22:20:28 | taint(...) | A.java:24:9:24:27 | new ..[] { .. } |
+| A.java:20:22:20:28 | taint(...) | A.java:24:24:24:26 | bad |
+| A.java:20:22:20:28 | taint(...) | A.java:25:9:25:9 | f |
+| A.java:29:22:29:28 | taint(...) | A.java:29:22:29:28 | taint(...) |
+| A.java:29:22:29:28 | taint(...) | A.java:33:9:33:10 | sb |
+| A.java:29:22:29:28 | taint(...) | A.java:33:9:33:21 | toString(...) |
+| A.java:29:22:29:28 | taint(...) | A.java:34:9:34:9 | f [post update] |
+| A.java:29:22:29:28 | taint(...) | A.java:34:9:34:27 | format(...) |
+| A.java:29:22:29:28 | taint(...) | A.java:34:9:34:27 | new ..[] { .. } |
+| A.java:29:22:29:28 | taint(...) | A.java:34:24:34:26 | bad |
+| A.java:29:22:29:28 | taint(...) | A.java:35:9:35:10 | sb |
+| A.java:29:22:29:28 | taint(...) | A.java:35:9:35:21 | toString(...) |
+| A.java:39:22:39:28 | taint(...) | A.java:39:22:39:28 | taint(...) |
+| A.java:39:22:39:28 | taint(...) | A.java:42:18:42:20 | bad |
+| A.java:39:22:39:28 | taint(...) | A.java:43:9:43:46 | new ..[] { .. } |
+| A.java:39:22:39:28 | taint(...) | A.java:43:43:43:45 | bad |
--- a/java/ql/test/library-tests/dataflow/taint-format/test.ql
+++ b/java/ql/test/library-tests/dataflow/taint-format/test.ql
@@ -0,0 +1,16 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:dataflow:format" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) { any() }
+}
+
+from DataFlow::Node src, DataFlow::Node sink, Conf conf
+where conf.hasFlow(src, sink)
+select src, sink
--- a/javascript/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+++ b/javascript/ql/src/Metrics/Dependencies/ExternalDependencies.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependencies
 * @description Count the number of dependencies a JavaScript source file has on
 *              NPM packages or framework libraries.
--- a/javascript/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+++ b/javascript/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependency source links
 * @kind source-link
 * @metricType externalDependency
--- a/javascript/ql/src/Metrics/FLinesOfDuplicatedCode.ql
+++ b/javascript/ql/src/Metrics/FLinesOfDuplicatedCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicated lines in files
 * @description The number of lines in a file (including code, comment and whitespace lines)
 *              occurring in a block of lines that is duplicated at least once somewhere else.
--- a/javascript/ql/src/Metrics/FLinesOfSimilarCode.ql
+++ b/javascript/ql/src/Metrics/FLinesOfSimilarCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Similar lines in files
 * @description The number of lines in a file (including code, comment and whitespace lines)
 *              occurring in a block of lines that is similar to a block of lines seen
--- a/javascript/ql/src/codeql-suites/javascript-lgtm-full.qls
+++ b/javascript/ql/src/codeql-suites/javascript-lgtm-full.qls
@@ -8,10 +8,6 @@
      - ide-contextual-queries/local-definitions
      - ide-contextual-queries/local-references
 - query: Comments/FCommentedOutCode.ql
- query: Metrics/Dependencies/ExternalDependencies.ql
- query: Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
 - query: Metrics/FLinesOfCode.ql
 - query: Metrics/FLinesOfComment.ql
- query: Metrics/FLinesOfDuplicatedCode.ql
- query: Metrics/FLinesOfSimilarCode.ql
 - query: Metrics/FNumberOfTests.ql
--- a/javascript/ql/src/external/DuplicateFunction.ql
+++ b/javascript/ql/src/external/DuplicateFunction.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate function
 * @description There is another function that shares a lot of code with this function.
 *              Extract the common parts to a shared utility function to improve maintainability.
--- a/javascript/ql/src/external/DuplicateToplevel.ql
+++ b/javascript/ql/src/external/DuplicateToplevel.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate script
 * @description There is another script that shares a lot of code with this script. Consider combining the
 *              two scripts to improve maintainability.
--- a/javascript/ql/src/external/SimilarFunction.ql
+++ b/javascript/ql/src/external/SimilarFunction.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Similar function
 * @description There is another function that shares a lot of code with this function.
 *              Extract the common parts to a shared utility function to improve maintainability.
--- a/javascript/ql/src/external/SimilarToplevel.ql
+++ b/javascript/ql/src/external/SimilarToplevel.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Similar script
 * @description There is another script that shares a lot of code with this script.
 *              Extract the common parts to a new script to improve maintainability..
--- a/javascript/ql/src/semmle/javascript/ApiGraphs.qll
+++ b/javascript/ql/src/semmle/javascript/ApiGraphs.qll
@@ -578,7 +578,11 @@ module API {
        ref = DataFlow::moduleImport(m)
      )
      or
-      exists(DataFlow::ClassNode cls | nd = MkClassInstance(cls) | ref = cls.getAReceiverNode())
+      exists(DataFlow::ClassNode cls | nd = MkClassInstance(cls) |
+        ref = cls.getAReceiverNode()
+        or
+        ref = cls.(DataFlow::ClassNode::FunctionStyleClass).getAPrototypeReference()
+      )
      or
      nd = MkUse(ref)
      or
--- a/javascript/ql/test/ApiGraphs/classes/classes.js
+++ b/javascript/ql/test/ApiGraphs/classes/classes.js
@@ -20,4 +20,8 @@ MyOtherStream.prototype.write = function (data) { /* use (instance (member MyOth
    return this;
 };

+MyOtherStream.prototype.instanceProp = 1; /* def (member instanceProp (instance (member MyOtherStream (member exports (module classes))))) */
+
+MyOtherStream.classProp = 1; /* def (member classProp (member MyOtherStream (member exports (module classes)))) */
+
 module.exports.MyOtherStream = MyOtherStream;
--- a/python/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+++ b/python/ql/src/Metrics/Dependencies/ExternalDependencies.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependencies
 * @description Count the number of dependencies that a Python source file has on external packages.
 * @kind treemap
--- a/python/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+++ b/python/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name External dependency source links
 * @kind source-link
 * @metricType externalDependency
--- a/python/ql/src/Metrics/FLinesOfDuplicatedCode.ql
+++ b/python/ql/src/Metrics/FLinesOfDuplicatedCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicated lines in files
 * @description The number of lines in a file, including code, comment and whitespace lines,
 *              which are duplicated in at least one other place.
--- a/python/ql/src/Metrics/FLinesOfSimilarCode.ql
+++ b/python/ql/src/Metrics/FLinesOfSimilarCode.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Similar lines in files
 * @description The number of lines in a file, including code, comment and whitespace lines,
 *              which are similar in at least one other place.
--- a/python/ql/src/codeql-suites/python-lgtm-full.qls
+++ b/python/ql/src/codeql-suites/python-lgtm-full.qls
@@ -8,10 +8,6 @@
      - ide-contextual-queries/local-definitions
      - ide-contextual-queries/local-references
 - query: Lexical/FCommentedOutCode.ql
- query: Metrics/Dependencies/ExternalDependencies.ql
- query: Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
 - query: Metrics/FLinesOfCode.ql
 - query: Metrics/FLinesOfComments.ql
- query: Metrics/FLinesOfDuplicatedCode.ql
- query: Metrics/FLinesOfSimilarCode.ql
 - query: Metrics/FNumberOfTests.ql
--- a/python/ql/src/external/DuplicateFunction.ql
+++ b/python/ql/src/external/DuplicateFunction.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Duplicate function
 * @description There is another identical implementation of this function. Extract the code to a common file or superclass to improve sharing.
 * @kind problem
--- a/python/ql/src/external/MostlyDuplicateClass.ql
+++ b/python/ql/src/external/MostlyDuplicateClass.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate class
 * @description More than 80% of the methods in this class are duplicated in another class. Create a common supertype to improve code sharing.
 * @kind problem
--- a/python/ql/src/external/MostlyDuplicateFile.ql
+++ b/python/ql/src/external/MostlyDuplicateFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly duplicate module
 * @description There is another file that shares a lot of the code with this file. Merge the two files to improve maintainability.
 * @kind problem
--- a/python/ql/src/external/MostlySimilarFile.ql
+++ b/python/ql/src/external/MostlySimilarFile.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Mostly similar module
 * @description There is another module that shares a lot of the code with this module. Notice that names of variables and types may have been changed. Merge the two modules to improve maintainability.
 * @kind problem
--- a/python/ql/src/external/SimilarFunction.ql
+++ b/python/ql/src/external/SimilarFunction.ql
@@ -1,4 +1,5 @@
 /**
+ * @deprecated
 * @name Similar function
 * @description There is another function that is very similar this one. Extract the common code to a common function to improve sharing.
 * @kind problem
--- a/python/ql/src/semmle/python/Files.qll
+++ b/python/ql/src/semmle/python/Files.qll
@@ -415,6 +415,12 @@ class Location extends @location {
        locations_ast(this, m, startline, startcolumn, endline, endcolumn)
      )
    )
+    or
+    // Packages have no suitable filepath, so we use just the path instead.
+    exists(Module m | not exists(m.getFile()) |
+      filepath = m.getPath().getAbsolutePath() and
+      locations_ast(this, m, startline, startcolumn, endline, endcolumn)
+    )
  }
 }

--- a/python/ql/test/library-tests/PointsTo/import_star/Values.expected
+++ b/python/ql/test/library-tests/PointsTo/import_star/Values.expected
@@ -1,4 +1,4 @@
 | nested/__init__.py:1:6:1:12 | ControlFlowNode for ImportExpr | import | nested/nested.py:0:0:0:0 | Module nested.nested |
 | nested/nested.py:1:1:1:13 | ControlFlowNode for FunctionExpr | import | nested/nested.py:1:1:1:13 | Function nested |
-| test.py:1:6:1:11 | ControlFlowNode for ImportExpr | import | file://:0:0:0:0 | Package nested |
+| test.py:1:6:1:11 | ControlFlowNode for ImportExpr | import | nested:0:0:0:0 | Package nested |
 | test.py:2:1:2:6 | ControlFlowNode for nested | import | nested/nested.py:1:1:1:13 | Function nested |
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args --enable-preview -source 14 -target 14`